The Planet Forums > How-to: List/Ban IP

Help - Search - Members - Calendar

Full Version: How-to: List/Ban IP

The Planet Forums > System Administration > HOWTOs

XGhozt

Mar 20 2007, 01:49 PM

CODE

Banning an IP
iptables -A INPUT -p all -s IPHERE/32 -j DROP

CODE

Unbanning and IP
iptables -D INPUT -p all -s IPHERE/32 -j DROP

CODE

Listing the last five ip's with the most connections
netstat -atnp -A inet | grep ":80" | awk -F " " '{print $5} ' | awk -F ":" '{print $1}' | sort | uniq -c | sort -nr | head -5

CODE

Simple Tutorial by XGhozt =]

panfor

Mar 23 2007, 12:12 AM

Very useful, thanks.

----------------------------------------------------------------
PeakClick | ClickBank | ExpertsNet

xerophyte

Mar 23 2007, 12:14 AM

or install some iptable front end like shorewall or apf . then t

CODE

shorewall drop ip

.. to block an ip, there is more option with it

XGhozt

Mar 26 2007, 11:19 PM

I prefer not to install more software on my server.

smoker

Jun 12 2007, 05:10 AM

You don't need to specify the protocol, and you don't need to specify the /32

ie.
iptables -A INPUT -s 192.168.0.1 -j DROP

If you are only banning the ip from, say, SSH access, then that line would become :

iptables -A INPUT -p tcp -s 192.168.0.1 --dport 22 -j DROP

Change --dport to whatever services port you are denying to that IP.

If you want this ban to be permanent, then you need to save iptables and then restart it to read in the new values.
On RHEL this would be :
service iptables save
then
service iptables restart

I had issues with certain IPs hammering SSH on my server, so I wrote a small shell script to make it easier to ban ips manually -

CODE

#!/bin/bash
# This script makes banning ip addresses from ssh access easier
# This script needs to be run as root, so if you don't understand it, you shouldn't really run it !
# No responsibility for locking you out of your own server is assumed !!


# define variables here #


address=$1 # address=$1 gets the ip passed from the command line
file="/etc/sysconfig/iptables" # where to check for duplicate entries
quit=n # preset the quit variable so we can run the loop


################################################################################
##
#################### sub routine that actually checks for duplicates          ####
#################### or adds new rules to iptables, plus a few escape options ####
################################################################################
##
process(){
read confirm
        case $confirm in
                y) if grep -q $1 $2 # If the inputted address matches a rule
                                    # in the existing tables
                then
                        echo -e "\E[0;31m$1 is already banned"; tput sgr0
                        unset address;
                        sleep 2
                else # If no existing match, add rule and restart iptables
                 iptables -A INPUT -p tcp -s $1 --dport 22 -j DROP;
                        service iptables save;
                        service iptables restart;
                        echo -e  "\E[0;32m$1 has been banned"; tput sgr0
                        unset address
                        sleep 5
                fi
                clear;;
                n) echo "Information discarded" # cancel that request, try again
                unset address
                sleep 1
                clear;;
                q) quit=y;; # just quit already
                *) echo "Invalid response !" # WTF was that ?
                sleep 1
                clear;;
        esac
}


######################################## ######################################## Start of input script ##################
clear
while test "$quit" = "n"
do
if [ $address ]; then # did we get an ip on the command line ?
case $address in
        q) quit=y;;
        *) echo -e '\E[0;31mIPTABLES IP Banning Utility Ready'; tput sgr0
         echo -n "$address will be banned from ssh access, is this ok ? [y],[n],[q]:";
        process $address $file # jump to main function
esac


else # ok, we're starting from scratch, no command line arguments


echo -e '\E[0;31mIPTABLES IP Banning Utility Ready'; tput sgr0
echo "Please enter the IP address to be banned from ssh access attempts"
echo -n "(q to quit now)":
read address
case $address in
        q) quit=y;;
        *) echo -n "$address will be banned from ssh access, is this ok ? [y],[n],[q]:";
        process $address $file # jump to main function
esac


fi
done

I saved this as a file called ban.sh (located in roots home directory)
chmod 700 and owned by root

So I can ban an address like this :
Login to server over SSH
su - to root
then type :
ban 192.168.0.1

or just type ban and follow the prompts.
This script is set up for use on RHEL, so it may need modifying for other distros.
All the parameters are explained using man iptables.

James Jhurani

Jun 12 2007, 08:05 AM

everyone was doing it... so I decided to throw ANOTHER alternative in the pool!

you could put the alias in your ".profile" for root.
"alias banip = iptables -I INPUT -j DROP -s "

Then it would just be "banip 123.4.5.6" from command line

MakeMeShine

Jun 27 2007, 08:59 AM

you could alsways install CSF.... apart from being a top notch free firewall and bute force detector it also has a feature that checks for common security holes in your server AND also makes it easy to allow / block IP address with complex rules (certain ports from certain IP's ect...)

James Jhurani

Jun 27 2007, 11:50 AM

iptables -I INPUT -s <ip> -p <protocol> --dport <destination port> -J <ACCEPT or DROP>

XGhozt

Jul 19 2007, 05:27 PM

What about if you have the APF Firewall installed?
I know that this bans:

CODE

apf -d IPADDRESS

How can I unban an IP with a command?

Otherwise:

CODE

/etc/apf/deny_hosts.rules

Have to edit and remove the banned IP.

James Jhurani

Jul 19 2007, 07:52 PM

i believe its just "apf -u ip"

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.