Using iptables to block ips that spam or attack your server

Check Configuring iptables on CentOS post.

Why should you do that while APF or CSF can do it automatically?
Because APF/CSF could block an important bot testing your server to add to search index. So reviewing every ip would be a daily task!
Ok, so how?
using RHEL4, centos4

  • first you need to create file ‘badips’ in say ‘var’ dir
  • edit your ‘/etc/init.d/iptables’
    • #vi /etc/init.d/iptables
go to 'start() {'
#insert these lines before 'touch $VAR_SUBSYS_IPTABLES'
       #banning BAD IPS
	if [ -f /var/badips ]
	then
	       for BAD_IP in `cat /var/badips`
	       do
	               iptables -I INPUT -s $BAD_IP -j DROP
		       echo 'ip '$BAD_IP' banned'
		       echo
	       done
	else
	       echo "Can't read /var/badips"
	fi
  • add the bad ips into /var/badips file separated by newline
    • #echo '80.145.203.224' >> /var/badip
  • restart your iptables
    • /etc/init.d/iptables restart

    Ok but how about a nice PHP script which would do that without getting into ssh?

    $file = '/var/badips';
#remove IP use ?do=rm&ip=80.145.203.224
$arr = array_map('rtrim',file($file));
if($_GET['do']=='rm'){
	unset($arr[array_search($_GET['ip'],$arr)]);
	if(file_put_contents($file,implode("\n",$arr)))
		echo $_GET['ip'].' removed';
}else{ #add ip ?ip=80.145.203.224
        #duplicated ip 
	if(is_array($arr) && in_array($_GET['ip'],$arr)) echo $_GET['ip'].' exits';
	else{
		exec("/sbin/iptables -I INPUT -s {$_GET['ip']} -j DROP");
                exec("/etc/init.d/iptables restart",$output);
		if(file_put_contents($file,"{$_GET['ip']}\n",FILE_APPEND))
			echo $_GET['ip'].' Banned';
	}
exec("cat {$file}",$output);
}
print_r($output);

    add the script to file ban.php and make sure file ‘badips’ is 666 writable then excute ban.php?ip=80.145.203.224 to ban this ip or ban.php?ip=80.145.203.224&do=rm to remove it from the banned ips

    Recommended posts:


    Tags : bash block bot CentOS ip Linux more-38 Security ssh

    This entry was posted on Tuesday, May 29th, 2007 at 3:45 pm and is filed under Blog, Linux, Solutions. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    • Pingback: Using iptables to block ips that spam or attack your server « Bloggitation

    • http://1000asa.com Lorenzo

      cool,
      just what I was looking for, thanks.

    • http://xoxolatito.com xOxolatito

      awesome!! =)

    • http://www.bdat.net Pedro Pablo

      Hi

      It can be made a little change in order to improve the performance. I only want to check the packet that are addressed to port 25.

      If you don’t want logging, just comment out the line.

      iptables -N MAIL
      iptables -N MAILLOG

      iptables -A INPUT -i eth0 -j MAIL ! -s 127.0.0.1 -p tcp –dport 25

      iptables -A MAILLOG -j LOG
      iptables -A MAILLOG -j DROP

      and then
      iptables -A CORREO -i eth0 -j MAILLOG -s 188.54.0.0/15

      Now, please is there any “badip” file to share.

      Thanks

    • http://www.bdat.net Pedro Pablo

      Sorry for the mistake, you should replace CORREO by MAIL

    • Pingback: Configuring iptables on CentOS :: GadElKareem


     Top