I keep getting these nice authentication failures that have a hostname of:
rhost=50-56-125-156.static.cloud-ips.com


I am trying to find out what the correct IP address range to block to filter all incoming connections to my network from the static.cloud-ips.com network..

So far I have been unsuccessful in finding out what there network address really is.

Whois didn't give much info,
nslookup has nothing,
dig had very little helpfull info.

WHOIS (whob) says:
Organization: Rackspace (+Slicehost)
AS: 19994
Prefix: 50.56.0.0/17
..which ROBTEX confirms.

Thanks..
I tried to use just whois..

Actually that's not true. static.cloud-ips.com serves 3 prefixes: 50.56.128.0/17, 207.97.192.0/18 and 67.23.0.0/19, all Rackspace. I'm not saying that's complete wrt prefix coverage or that there aren't any other ranges in other ASN's.

1 members found this post helpful.

Ill block all those too. Kinda strange that nothing is done about people abusing that service though. I seen plenty of articals on the internet complaining about people hiding behind cloud ip serveries doing this...

Practically speaking if you're going to block ranges or whole net blocks then for "established" ranges things don't change around but otherwise 0) be sure to check regularly if they're still valid and if there are any holes in a range and 1) don't clog up your filter table input chain with it but use the raw table. Even better: use ipset. It makes managing rules virtually painless.


Sorry, doing what exactly? (Examples?)

well I got about 5000 hits from random addresses on there network, trying to brute force my SSH service.
Other people have other types of break in attempts they were reporting...

In attempt to answer the question you didn't ask: this type of occurrence underscores the importance of properly securing your system and applying your security in layers. By your post, I assume that you mean SSH authentication failures. While blocking the whole IP ranges may help cut down on some of the clutter, it does come with potential downsides and possible unintended consequences. For example, you may say that you would never login from XYZ domain, which may be true until you are staying at a hotel somewhere. Second, if these addresses are spoofed or making use of compromised systems, the attempts can easily come from somewhere else. Third, as unSpawn alluded to, IPv4 address ranges are somewhat dynamic and do change.

While I am not saying don't implement block lists (I myself do, especially with regards to emails), be sure that you are using them in conjunction with other, more reliable means of security.
Edit: Followup
Try fail2ban.

1 members found this post helpful.