Blocking IP addresses that keep hammering?

[ryno267]

You could always try 'locate iptables'

not the biggest linux guy - just treading water here... but i'll try and do that next time.... thx

 

[SarcNBit]

not the biggest linux guy - just treading water here... but i'll try and do that next time.... thx

If you are not logging on directly as root (which you shouldn't be IMO), then you may want to use "su -" instead of "su". I am guessing that was the reason you couldn't run iptables without the complete path.

 

[ryno267]

really? Niiiiiiiice

hmm... I always do SU

thats all i've ever been told... I'll do the su - from now on....

whats the difference? like I know it allows me to run stuff without the direct path.. but thats news to me....
thanks btw...

 

[ramprage]

su - changes the environment variables and su doesn't . Basically changes all paths and home directory to the real root user.

If you already have APF installed why are you using iptables directly?
Simply add the following:

pico /etc/apf/deny_hosts.conf

Paste in the IP to a new line.

Save the file and restart APF.

 

[ryno267]

I don't have APF...
but I'm going to install it here soon....

thanks...

 

[gorilla]

I don't have APF...
but I'm going to install it here soon....

thanks...

Go and have a look at ramprage website , he's got some good tutorials

 

[spiff06]

Everyone,

I had someone/thing conduct break-in attempts last week, found this thread and used the drop command (iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j DROP, I know, I shouldn't have limited it to tcp...) to block access from a total of 10 IPs over four days.

All went well the first couple of days, with break-in attempts effectively shut from the IPs entered the previous day, until the log turned out clean on day 4.

However, since then, I've been receiving bitwise errors:

Use of uninitialized value in bitwise or (|) at /etc/log.d/scripts/services/kernel line 100, <STDIN> line 828266.
Use of uninitialized value in left bitshift (<<) at /etc/log.d/scripts/services/kernel line 102, <STDIN> line 828266.

These errors have been spawning. I now get a "failed delivery" log message, filled with 1.2Mb of these bitwise error messages.

(I've also described this problem here).

Please help.
Thanks, Eric

 

[bhd]

From checking our logs, here are some you may want to consider adding to the APF deny_hosts list:

##Romania
212.146.127.100
213.154.137.210

# Korea
211.32.0.0/11
211.104.0.0/13
211.112.0.0/13
211.168.0.0/13
211.176.0.0/12
211.192.0.0/10
211.101.236.91
220.70.167.67
220.95.231.34

# Japan
160.26.74.74

# Taiwan
192.192.73.118

# China
211.20.131.90
222.45.45.132

# Italy
80.204.43.237

# Hong Kong
203.98.159.166

# European Union
130.88.20.170

# India
202.9.128.55

 

[ryno267]

update....

Just wanted to let everybody know that i've installed APF and love it - have seen no attempts lately and have totally killed those old IP's all together.

And thanks BHD for that country list.

 

[dianaward]

So, how exactly do I ascertain that APF is working properly and

it is safe to take it out of development mode?

 

[pcsmith_uk]

it is safe to take it out of development mode?

If you leave it in Development mode it disables itself in a minute. Just make sure you can SSH in when it's started up (i.e. enabled) and all things (such as Cpanel) are available also and it should be safe to disable development mode.

Definitely use BFD as well, but the best advice is to change your SSH port. You'll also need to change the Cpanel SSH port to the same thing or you won't be able to use the web SSH interface. There are many tutorials on EV1 forums - www.ev1servers.net (and numerous other forums)