{"id":618,"date":"2015-01-26T15:30:40","date_gmt":"2015-01-26T14:30:40","guid":{"rendered":"http:\/\/www.hauweele.net\/~gawen\/blog\/?p=618"},"modified":"2022-03-29T13:13:07","modified_gmt":"2022-03-29T13:13:07","slug":"ips-ban-on-linux","status":"publish","type":"post","link":"https:\/\/hauweele.net\/~gawen\/blog\/?p=618","title":{"rendered":"IPs ban on Linux"},"content":{"rendered":"
\"Ban<\/a>

Who needs a quick ban?<\/p><\/div>\n

Today we had a bruteforce attack on our nginx server. Well cannot say he was anywhere near successful though, the guy did POST \/wp-login.php<\/code> several times per second and all he got as an answer was 404<\/code>. Fat chance…<\/p>\n

But still, he had our access logs growing far larger than they usually do. So I tried to ban him. Unfortunately nginx does not use TCP wrappers by default (you can use ngx_tcpwrappers<\/a> although\u00a0it will have to be rebuilt from source).<\/p>\n

So I made a little script, called ban-hammer<\/a> to temporarily ban IPs using IPTables. There is also a cron.daily script to unban<\/a> IPs each day.\u00a0The script requires rpnc<\/a>, but it is easy to adapt without it.<\/p>\n

These scripts add and remove the IPs into a special IPT chain (which you can configure in the script).\u00a0So you also have to configure your firewall to jump to the two chains and load banned IPs on boot:<\/p>\n

echo \"Bans\"\r\n\r\nload_bans() {\r\n  ban_table=$1\r\n  ban_chain=$2\r\n  iptables=$3\r\n\r\n  $iptables -N $ban_chain\r\n\r\n  while read ban\r\n  do\r\n    ip=$(echo \"$ban\" | cut -d'=' -f 1)\r\n    $iptables -A $ban_chain -s \"$ip\" -j DROP\r\n  done < \"$ban_table\"\r\n\r\n  $iptables -A INPUT -j $ban_chain\r\n}\r\n\r\nload_bans \/etc\/firewall\/ip4.ban IP4BAN iptables\r\nload_bans \/etc\/firewall\/ip6.ban IP6BAN ip6tables<\/pre>\n","protected":false},"excerpt":{"rendered":"
Today we had a bruteforce attack on our nginx server. Well cannot say he was anywhere near successful though, the guy did POST \/wp-login.php several times per second and all he got as an answer was 404. Fat chance… But … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[536,539,84,537,6,460,40,538],"class_list":["post-618","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-ban","tag-hosts-deny","tag-ip","tag-iptables","tag-linux","tag-nginx","tag-script","tag-tcp_wrappers"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts\/618","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=618"}],"version-history":[{"count":0,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts\/618\/revisions"}],"wp:attachment":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=618"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=618"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=618"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}