Is IPtables not working??BruteForce on 80
 

Guys!!
I'm experiencing severe BruteForce attack from the IP 92.48.127.153 on my port 80 for http.

I have set the iptables as follows...

And finally did the
And then the iptables nvl shows it...
Now please help me... i want to get rid of this guy....

use -j DROP instead

did so... nothing... still the guy can access... i can see the httpd logs realtime...

this is current..

0 0 DROP all -- eth0 * 92.48.127.153 202.53.171.50

but nothing... he still accessing... all i now can do is just unplug the cable...

please post the output of

ifconfig -eth0

you might have your input/output src/dst mixed up.

ifconfig -eth0
eth0 Link encap:Ethernet HWaddr 00:50:BF:9C:ED:B7
inet addr:202.53.171.50 Bcast:202.53.171.55 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:564 errors:0 dropped:0 overruns:0 frame:0
TX packets:512 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:3 Base address:0x1c00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:61 errors:0 dropped:0 overruns:0 frame:0
TX packets:61 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 220.177.248.174 0.0.0.0/0
DROP all -- 222.92.117.19 0.0.0.0/0
DROP all -- 92.48.127.153 202.53.171.50

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 25,80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

==============================

iptables -A INPUT -i eth0 -d 202.53.171.50 -s 92.48.127.153 -j DROP

was used

Your default input policy is drop, but you have an accept everything in there:
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

you can kill it with fire by finding the line number and deleting the rule

iptables -nL --line-numbers

and

iptables -D INPUT <rule number>

further, with a default policy of drop, those drop rules are useless and can be deleted.

might want to check out your drop chain as well.

did not understand...
iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 220.177.248.174 0.0.0.0/0
DROP all -- 222.92.117.19 0.0.0.0/0
DROP all -- 92.48.127.153 202.53.171.50

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 25,80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
====================================
Now how to work line-numbers?? I already have made a reboot after the iptables rules. I think the firewall is not working as it was supposed to work...

iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 220.177.248.174 0.0.0.0/0
DROP all -- 222.92.117.19 0.0.0.0/0
DROP all -- 92.48.127.153 202.53.171.50

Chain FORWARD (policy ACCEPT)
target prot opt source destination
============================================
Now what?? Actually i think its not working or may b understanding prob....
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 25,80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 220.177.248.174 0.0.0.0/0
DROP all -- 222.92.117.19 0.0.0.0/0
DROP all -- 92.48.127.153 202.53.171.50

Chain FORWARD (policy ACCEPT)
target prot opt source destination
============================================
Now what?? Actually i think its not working or may b understanding prob....

iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 220.177.248.174 0.0.0.0/0
DROP all -- 222.92.117.19 0.0.0.0/0
DROP all -- 92.48.127.153 202.53.171.50

Chain FORWARD (policy ACCEPT)
target prot opt source destination
============================================
Now what?? Actually i think its not working or may b understanding prob....

your drop statements are never firing because of the last "ACCEPT all -- 0.0.0.0/0 0.0.0.0/0". That allows everything regardless of protocol, address or state. you basically dont have a firewall at this point. Delete that line and you're good to go.

If you post your rules using "--line-numbers" I'll tell you exactly which one to get rid of...