If you run Apache on a Linux unmanaged VDS, start by looking at your webserver's "access_log". This is normally located in /var/log/apache2/access_log, but it could be somewhere else if you have configured it to be. Look for lines that show the same IP constantly re-requesting the same resource, like this:
Code: Select all
123.123.123.123 - - [10/Oct/2012:13:37:27 -0700] "GET /index.php HTTP/1.1" 200 - "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1"
123.123.123.123 - - [10/Oct/2012:13:37:27 -0700] "GET /index.php HTTP/1.1" 200 - "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1"
123.123.123.123 - - [10/Oct/2012:13:37:27 -0700] "GET /index.php HTTP/1.1" 200 - "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1"
123.123.123.123 - - [10/Oct/2012:13:37:27 -0700] "GET /index.php HTTP/1.1" 200 - "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1"
There are main two ways to block IPs at the network level that you've identified as malicious:
- With individual iptables rules. You could run a command like this to block the IP above, for instance:
You can also llist all the rules you've created:Code: Select all
iptables -A INPUT -s 123.123.123.123.123 -j DROP
Or delete an existing block:Code: Select all
iptables --list-rules
Or delete all rules:Code: Select all
iptables --delete INPUT -s 123.123.123.123.123 -j DROP
Code: Select all
iptables --flush
- With an "ipset" and single iptables rule. This is much more efficient for large numbers of IPs, and you should prefer this method if your Linux distribution includes support for it. To block the same IP with this method would involve these commands:
Adding new IPs later involves a single command for each one:Code: Select all
ipset create blacklist hash:ip iptables -A INPUT -m set --match-set blacklist src -j DROP ipset add blacklist 123.123.123.123
To delete an IP from the hash:Code: Select all
ipset add blacklist the.new.ip.address
To clear the hash completely:Code: Select all
ipset del blacklist the.ip.to.delete
Code: Select all
ipset flush blacklist