Topic: How do I remove a blocked IP from IPTables

[pistonpilot]

I have an ip address that IP Tables is blocking.  I wasn't aware of any intrustion detection in 7.3 but there obviously is as his address is blocked.  We were trying to setup FTP access with a different chroot and the contrib wasn't working as I expected.  He got denied too many times.

How do I remove him from IPtables, he can't even ping the server anymore.

2008-10-13 16:56:10.451041500 Oct 13 16:56:10 server denylog: IN=eth0 OUT= MAC=00:1e:c9:5b:b7:bf:00:13:f7:86:de:55:08:00  SRC=208.251.219.107 DST=10.1.10.252 LEN=48 TOS=00 PREC=0x20 TTL=114 ID=120 DF PROTO=TCP SPT=1113 DPT=22 SEQ=1827465126 ACK=0 WINDOW=65535 SYN URGP=0
2008-10-13 16:56:13.508664500 Oct 13 16:56:13 server denylog: IN=eth0 OUT= MAC=00:1e:c9:5b:b7:bf:00:13:f7:86:de:55:08:00  SRC=208.251.219.107 DST=10.1.10.252 LEN=48 TOS=00 PREC=0x20 TTL=114 ID=683 DF PROTO=TCP SPT=1113 DPT=22 SEQ=1827465126 ACK=0 WINDOW=65535 SYN URGP=0
2008-10-13 16:56:19.526100500 Oct 13 16:56:19 server denylog: IN=eth0 OUT= MAC=00:1e:c9:5b:b7:bf:00:13:f7:86:de:55:08:00  SRC=208.251.219.107 DST=10.1.10.252 LEN=48 TOS=00 PREC=0x20 TTL=114 ID=1524 DF PROTO=TCP SPT=1113 DPT=22 SEQ=1827465126 ACK=0 WINDOW=65535 SYN URGP=0
2008-10-13 16:57:19.327316500 Oct 13 16:57:19 server denylog: IN=eth0 OUT= MAC=00:1e:c9:5b:b7:bf:00:13:f7:86:de:55:08:00  SRC=208.251.219.107 DST=10.1.10.252 LEN=48 TOS=00 PREC=0x20 TTL=114 ID=9958 DF PROTO=TCP SPT=1650 DPT=22 SEQ=3514714588 ACK=0 WINDOW=65535 SYN URGP=0
2008-10-13 16:57:22.197012500 Oct 13 16:57:22 server denylog: IN=eth0 OUT= MAC=00:1e:c9:5b:b7:bf:00:13:f7:86:de:55:08:00  SRC=208.251.219.107 DST=10.1.10.252 LEN=48 TOS=00 PREC=0x20 TTL=114 ID=10349 DF PROTO=TCP SPT=1650 DPT=22 SEQ=3514714588 ACK=0 WINDOW=65535 SYN URGP=0
2008-10-13 16:57:28.213124500 Oct 13 16:57:28 server denylog: IN=eth0 OUT= MAC=00:1e:c9:5b:b7:bf:00:13:f7:86:de:55:08:00  SRC=208.251.219.107 DST=10.1.10.252 LEN=48 TOS=00 PREC=0x20 TTL=114 ID=11157 DF PROTO=TCP SPT=1650 DPT=22 SEQ=3514714588 ACK=0 WINDOW=65535 SYN URGP=0
2008-10-13 16:58:18.375665500 Oct 13 16:58:18 server denylog: IN=eth0 OUT= MAC=00:1e:c9:5b:b7:bf:00:13:f7:86:de:55:08:00  SRC=208.251.219.107 DST=10.1.10.252 LEN=48 TOS=00 PREC=0x20 TTL=114 ID=18182 DF PROTO=TCP SPT=2108 DPT=22 SEQ=80293186 ACK=0 WINDOW=65535 SYN URGP=0
2008-10-13 16:58:21.284856500 Oct 13 16:58:21 server denylog: IN=eth0 OUT= MAC=00:1e:c9:5b:b7:bf:00:13:f7:86:de:55:08:00  SRC=208.251.219.107 DST=10.1.10.252 LEN=48 TOS=00 PREC=0x20 TTL=114 ID=18597 DF PROTO=TCP SPT=2108 DPT=22 SEQ=80293186 ACK=0 WINDOW=65535 SYN URGP=0
2008-10-13 16:58:27.385906500 Oct 13 16:58:27 server denylog: IN=eth0 OUT= MAC=00:1e:c9:5b:b7:bf:00:13:f7:86:de:55:08:00  SRC=208.251.219.107 DST=10.1.10.252 LEN=48 TOS=00 PREC=0x20 TTL=114 ID=19437 DF PROTO=TCP SPT=2108 DPT=22 SEQ=80293186 ACK=0 WINDOW=65535 SYN URGP=0
2008-10-13 17:06:22.234993500 Oct 13 17:06:22 server denylog: IN=eth0 OUT= MAC=00:1e:c9:5b:b7:bf:00:13:f7:86:de:55:08:00  SRC=208.251.219.107 DST=10.1.10.252 LEN=48 TOS=00 PREC=0x20 TTL=114 ID=21182 DF PROTO=TCP SPT=1854 DPT=22 SEQ=3397242308 ACK=0 WINDOW=65535 SYN URGP=0
2008-10-13 17:06:25.256990500 Oct 13 17:06:25 server denylog: IN=eth0 OUT= MAC=00:1e:c9:5b:b7:bf:00:13:f7:86:de:55:08:00  SRC=208.251.219.107 DST=10.1.10.252 LEN=48 TOS=00 PREC=0x20 TTL=114 ID=21580 DF PROTO=TCP SPT=1854 DPT=22 SEQ=3397242308 ACK=0 WINDOW=65535 SYN URGP=0

[CharlieBrady]

I have an ip address that IP Tables is blocking.  I wasn't aware of any intrustion detection in 7.3 but there obviously is as his address is blocked.  We were trying to setup FTP access with a different chroot and the contrib wasn't working as I expected.  He got denied too many times.

How do I remove him from IPtables, he can't even ping the server anymore.

2008-10-13 16:56:10.451041500 Oct 13 16:56:10 server denylog: IN=eth0 OUT= MAC=00:1e:c9:5b:b7:bf:00:13:f7:86:de:55:08:00  SRC=208.251.219.107 DST=10.1.10.252 LEN=48 TOS=00 PREC=0x20 TTL=114 ID=120 DF PROTO=TCP SPT=1113 DPT=22 SEQ=1827465126 ACK=0 WINDOW=65535 SYN URGP=0

The logs show that he/she is trying to log in via SSH (port 22), and you have SSH disabled or set to private (LAN) access only.

[pistonpilot]

That would be a great solution if true, but SSH is enabled on 45321 and not just for local networks.  Ok - so it doesn't mean he is blocked - thank you.

[CharlieBrady]

That would be a great solution if true, but SSH is enabled on 45321 and not just for local networks.  Ok - so it doesn't mean he is blocked - thank you.

He *is* blocked, as is anyone else attempting to connect on port 22.

There is no IP blacklist, however - all non-local addresses are treated equally.

[janet]

pistonpilot

As Charlie has said:
The logs show that he/she is trying to log in via SSH (port 22), and you have SSH disabled or set to private (LAN) access only.

Have you enabled ssh access in server manager Remote Access panel, and enabled public access ?
If still disabled then ssh is blocked (by the firewall).

Also if a different port has been set (45321 in server manager) then your ssh client will also need to be configured to use that port.

[pistonpilot]

I don't know IPtables.  SSH is enabled on aother port.  My client still can't get in, can't ping - but could before.

It doesn't appear to be SME server doing it so back to him.

Thanks,

[CharlieBrady]

I don't know IPtables.  SSH is enabled on aother port.  My client still can't get in, can't ping - but could before.

If your client is 208.251.219.107 then iptables is blocking him, but that's because he is using port 22. Is there some reason you don't believe me?

[pistonpilot]

Let's be very exact:

IPtables is not blocking my client.  That is the good news.
IPtables blocked my client appropriately.  That is also good news.
IPtables is not actively blocking my client from the server.  That too is good news.

The problem is somewhere at my client's end, not mine.   Also good news.

[Stefano]

Let's be very exact:

IPtables is not blocking my client.  That is the good news.
IPtables blocked my client appropriately.  That is also good news.
IPtables is not actively blocking my client from the server.  That too is good news.

The problem is somewhere at my client's end, not mine.   Also good news.

if ssh is listening on 45321, then tell your client to stop doing

Code: [Select]

ssh yourhost

and start doing

Code: [Select]

ssh -p 45321 yourhost

easy, isn't it?

Ciao
Stefano

[pistonpilot]

Yes, it is very easy and exactly what I just wrote above.