Using iptables to block ips that spam or attack your server

Why should you do that while APF or CSF can do it automatically?
Because APF/CSF could block an important bot testing your server to add to search index. So reviewing every ip would be a daily task!
Ok, so how?
using RHEL4, centos4

  • first you need to create file 'badips' in say 'var' dir
  • edit your '/etc/init.d/iptables'
    1. #vi /etc/init.d/iptables
    2. go to ’start() {'
    3. #insert these lines before 'touch $VAR_SUBSYS_IPTABLES'
    4.        #banning BAD IPS
    5.         if [ -f /var/badips ]
    6.         then
    7.                for BAD_IP in `cat /var/badips`
    8.                do
    9.                        iptables -I INPUT -s $BAD_IP -j DROP
    10.                        echo 'ip '$BAD_IP' banned'
    11.                        echo
    12.                done
    13.         else
    14.                echo "Can't read /var/badips"
    15.         fi
    16.  
  • add the bad ips into /var/badips file separated by newline
    1. #echo '80.145.203.224′ >> /var/badip
  • restart your iptables
    1. /etc/init.d/iptables restart

    Ok but how about a nice PHP script which would do that without getting into ssh?

    1. $file = '/var/badips';
    2. #remove IP use ?do=rm&ip=80.145.203.224
    3. $arr = array_map('rtrim',file($file));
    4. if($_GET['do']=='rm'){
    5.         unset($arr[array_search($_GET['ip'],$arr)]);
    6.         if(file_put_contents($file,implode("\n",$arr)))
    7.                 echo $_GET['ip'].' removed';
    8. }else{ #add ip ?ip=80.145.203.224
    9.         #duplicated ip
    10.         if(is_array($arr) && in_array($_GET['ip'],$arr)) echo $_GET['ip'].' exits';
    11.         else{
    12.                 exec("/sbin/iptables -I INPUT -s {$_GET['ip']} -j DROP");
    13.                 exec("/etc/init.d/iptables restart",$output);
    14.                 if(file_put_contents($file,"{$_GET['ip']}\n",FILE_APPEND))
    15.                         echo $_GET['ip'].' Banned';
    16.         }
    17. exec("cat {$file}",$output);
    18. }
    19. print_r($output);
    20.  
    21.  

    add the script to file ban.php and make sure file 'badips' is 666 writable then excute ban.php?ip=80.145.203.224 to ban this ip or ban.php?ip=80.145.203.224&do=rm to remove it from the banned ips


    Tags :

    This entry was posted on Tuesday, May 29th, 2007 at 3:45 pm and is filed under Blog, Solutions. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    5 Responses to “Using iptables to block ips that spam or attack your server”

    1. Using iptables to block ips that spam or attack your server « Bloggitation Says:
      October 29th, 2007 at 11:12 am

      [...] read more | digg story [...]

    2. Lorenzo Says:
      March 26th, 2008 at 9:32 am

      cool,
      just what I was looking for, thanks.

    3. xOxolatito Says:
      September 29th, 2009 at 9:43 pm

      awesome!! =)

    4. Pedro Pablo Says:
      January 19th, 2010 at 9:53 pm

      Hi

      It can be made a little change in order to improve the performance. I only want to check the packet that are addressed to port 25.

      If you don't want logging, just comment out the line.

      iptables -N MAIL
      iptables -N MAILLOG

      iptables -A INPUT -i eth0 -j MAIL ! -s 127.0.0.1 -p tcp –dport 25

      iptables -A MAILLOG -j LOG
      iptables -A MAILLOG -j DROP

      and then
      iptables -A CORREO -i eth0 -j MAILLOG -s 188.54.0.0/15

      Now, please is there any “badip" file to share.

      Thanks

    5. Pedro Pablo Says:
      January 19th, 2010 at 9:54 pm

      Sorry for the mistake, you should replace CORREO by MAIL

     

    Leave a Reply


     Top