I have a pretty big problem that's happening right now. I have a hacker trying to break into my Linux server. There are currently over 2500 attempt logged in /var/log/messages as:
Mar 15 01:06:44 webserver sshd: reverse mapping checking getaddrinfo for ip197.hichina.com [220.127.116.11] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 15 01:06:44 webserver sshd: Invalid user ftpuser2 from 18.104.22.168
Mar 15 01:06:44 webserver sshd: Failed password for invalid user ftpuser2 from 22.214.171.124 port 57361 ssh2
The really odd thing is that I have a script to detect these things and if there are more than 10 attempts it blocks the IP using iptables. In fact, when I run: iptables -L -v, I do get:
0 0 DROP all -- any any 126.96.36.199/16 anywhere
This entry was created at 2014-03-15 00:39, yet you can see that the example entries are more than 1/2 an hour later ... and attempts continue to be made; about 200 attempts every 6 minutes.
Why is iptables not blocking this IP? Am I specifying the address wrong? Also, why are they able to try on port 57361? I don't have that port open:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 22,25,53,80,443 -m state --state NEW -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -m multiport --dports 53 -m state --state NEW -j ACCEPT
This is rather urgent. I'm under attack NOW!