ok, i have 20 ips delegated to a server
only 5 ips are utilized by server
the remaining are just sitting there
those attempting attacks will go through the list
they hit the first ips then go through the list
modsec is not blocking subsequent attempts at ip attacks until they are attempted
thus, 000.001 is hit and denied
then 000.002 is hit and denied
by same incoming ip
below are 3 of 14 attempts by one ip as shown in modsec
124.219.58.77 7x.53.xxx.xx0
124.219.58.77 7x.53.xxx.xx1
124.219.58.77 7x.53.xxx.xx2
so, the ip 124.219.58.77 is going down ip list. x hundreds
i want to tie each unused ip or all unused ip's to a web page or program that immediately blocks the ip.
though i could remove the ips i see them as a way to "*midway" these attackers
[*ambush]
having a means to stop on first ip would completely block attacker to any access for a period of time
especially the scripted Asian attacks
any comments pro or con appreciated.
i have most security packages installed so if i am missing the facts of using them to do this will also be appreciated
rock
- - - Updated - - -
what i would like to do is similar to this how to except i need it automated.
Nullroute IP using route command
Suppose that bad IP is 65.21.34.4, type following command at shell:
# route add 65.21.34.4 gw 127.0.0.1 lo
You can verify it with following command:
# netstat -nr
OR
# route -n
You can also use reject target (thanks to Gabriele):
# route add -host IP-ADDRESS reject
# route add -host 64.1.2.3 reject
To confirm the null routing status, use ip command as follows:
# ip route get 64.1.2.3
Output:
RTNETLINK answers: Network is unreachable
Drop entire subnet 192.67.16.0/24:
# route add -net 192.67.16.0/24 gw 127.0.0.1 lo
only 5 ips are utilized by server
the remaining are just sitting there
those attempting attacks will go through the list
they hit the first ips then go through the list
modsec is not blocking subsequent attempts at ip attacks until they are attempted
thus, 000.001 is hit and denied
then 000.002 is hit and denied
by same incoming ip
below are 3 of 14 attempts by one ip as shown in modsec
124.219.58.77 7x.53.xxx.xx0
124.219.58.77 7x.53.xxx.xx1
124.219.58.77 7x.53.xxx.xx2
so, the ip 124.219.58.77 is going down ip list. x hundreds
i want to tie each unused ip or all unused ip's to a web page or program that immediately blocks the ip.
though i could remove the ips i see them as a way to "*midway" these attackers
[*ambush]
having a means to stop on first ip would completely block attacker to any access for a period of time
especially the scripted Asian attacks
any comments pro or con appreciated.
i have most security packages installed so if i am missing the facts of using them to do this will also be appreciated
rock
- - - Updated - - -
what i would like to do is similar to this how to except i need it automated.
Nullroute IP using route command
Suppose that bad IP is 65.21.34.4, type following command at shell:
# route add 65.21.34.4 gw 127.0.0.1 lo
You can verify it with following command:
# netstat -nr
OR
# route -n
You can also use reject target (thanks to Gabriele):
# route add -host IP-ADDRESS reject
# route add -host 64.1.2.3 reject
To confirm the null routing status, use ip command as follows:
# ip route get 64.1.2.3
Output:
RTNETLINK answers: Network is unreachable
Drop entire subnet 192.67.16.0/24:
# route add -net 192.67.16.0/24 gw 127.0.0.1 lo
