I am getting bombarded with attempted hacks from China all with similar IPs.
How would I block the IP range with something like 116.10.191.* etc.
I am running Ubuntu Server 13.10.
The current line I am using is:
sudo /sbin/iptables -A INPUT -s 116.10.191.207 -j DROP
This only lets me block each one at a time but the hackers are changing the IPs at every attempt.
To block 116.10.191.* addresses:
$ sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP
To block 116.10.*.* addresses:
$ sudo iptables -A INPUT -s 116.10.0.0/16 -j DROP
To block 116.*.*.* addresses:
$ sudo iptables -A INPUT -s 116.0.0.0/8 -j DROP
But be careful what you block using this method. You don't want to prevent legitmate traffic from reaching the host.
edit: as pointed out, iptables evaluates rules in sequential order. Rules higher in the ruleset are applied before rules lower in the ruleset. So if there's a rule higher in your ruleset that allows said traffic, then appending (iptables -A) the DROP rule will not produce the intended blocking result. In this case, insert (iptables -I) the rule either:
sudo iptables -I ...
sudo iptables --line-numbers -vnL
say that shows rule number 3 allows ssh traffic and you want to block ssh for an ip range. -I takes an argument of an integer that's the location in your ruleset you want the new rule to be inserted
iptables -I 2 ...
sudo /sbin/iptables -A INPUT -s 116.10.191.0/24 -j DROP
This blocks the range. You can expand the subnet as needed with the same general format.
As an alternative approach you could use something as simple as fail2ban. It institutes a timeout for successive failed login attempts and makes bruteforcing infeasible since they only get a few chances per timeout. I set my time out length to 30 minutes. By the time they're an hour or two in, they realize they won't be able to make any headway and give up.
