The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

utilizing unused ips as a means to block scripted or physical hacking attempts

Discussion in 'Security' started by rockscarfone, Dec 29, 2013.

  1. rockscarfone

    rockscarfone Member

    Joined:
    Aug 30, 2006
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    ok, i have 20 ips delegated to a server

    only 5 ips are utilized by server

    the remaining are just sitting there


    those attempting attacks will go through the list

    they hit the first ips then go through the list

    modsec is not blocking subsequent attempts at ip attacks until they are attempted

    thus, 000.001 is hit and denied

    then 000.002 is hit and denied

    by same incoming ip

    below are 3 of 14 attempts by one ip as shown in modsec

    124.219.58.77 7x.53.xxx.xx0
    124.219.58.77 7x.53.xxx.xx1
    124.219.58.77 7x.53.xxx.xx2

    so, the ip 124.219.58.77 is going down ip list. x hundreds

    i want to tie each unused ip or all unused ip's to a web page or program that immediately blocks the ip.

    though i could remove the ips i see them as a way to "*midway" these attackers
    [*ambush]

    having a means to stop on first ip would completely block attacker to any access for a period of time

    especially the scripted Asian attacks

    any comments pro or con appreciated.

    i have most security packages installed so if i am missing the facts of using them to do this will also be appreciated

    rock

    - - - Updated - - -

    what i would like to do is similar to this how to except i need it automated.

    Nullroute IP using route command

    Suppose that bad IP is 65.21.34.4, type following command at shell:

    # route add 65.21.34.4 gw 127.0.0.1 lo

    You can verify it with following command:
    # netstat -nr
    OR
    # route -n
    You can also use reject target (thanks to Gabriele):
    # route add -host IP-ADDRESS reject
    # route add -host 64.1.2.3 reject

    To confirm the null routing status, use ip command as follows:
    # ip route get 64.1.2.3
    Output:

    RTNETLINK answers: Network is unreachable

    Drop entire subnet 192.67.16.0/24:
    # route add -net 192.67.16.0/24 gw 127.0.0.1 lo
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I recommend utilizing a third-party firewall to block the offending IP address, as opposed to additional Mod_Security rules. CSF is a common firewall used by cPanel users, and you can implement custom iptables rules if necessary.

    Thank you.
     

Share This Page