Block range of IP Addresses

To block 116.10.191.* addresses:

$ sudo iptables -A INPUT -s 116.10.191.0/24 -j DROP

To block 116.10.*.* addresses:

$ sudo iptables -A INPUT -s 116.10.0.0/16 -j DROP

To block 116.*.*.* addresses:

$ sudo iptables -A INPUT -s 116.0.0.0/8 -j DROP

But be careful what you block using this method. You don't want to prevent legitmate traffic from reaching the host.

edit: as pointed out, iptables evaluates rules in sequential order. Rules higher in the ruleset are applied before rules lower in the ruleset. So if there's a rule higher in your ruleset that allows said traffic, then appending (iptables -A) the DROP rule will not produce the intended blocking result. In this case, insert (iptables -I) the rule either:

• as the first rule

sudo iptables -I ...

• or before the allow rule

sudo iptables --line-numbers -vnL

say that shows rule number 3 allows ssh traffic and you want to block ssh for an ip range. -I takes an argument of an integer that's the location in your ruleset you want the new rule to be inserted

iptables -I 2 ...

sudo /sbin/iptables -A INPUT -s 116.10.191.0/24 -j DROP

This blocks the range. You can expand the subnet as needed with the same general format.

As an alternative approach you could use something as simple as fail2ban. It institutes a timeout for successive failed login attempts and makes bruteforcing infeasible since they only get a few chances per timeout. I set my time out length to 30 minutes. By the time they're an hour or two in, they realize they won't be able to make any headway and give up.