Hi, My server is hacked by ip addess from Russian. I want create un blacklist from my firewall for blocked all services from this address
To block all traffic from an IP address... mkdir /etc/Bastille/firewall.d cd /etc/Bastille/firewall.d touch post-rule-setup.sh Now edit post-rule-setup.sh with your favorite editor and put the following line in it... /sbin/iptables -I INPUT -s ipaddress -j DROP Save the file and restart Bastille with... /etc/init.d/bastille-firewall restart This works with Fedora core 3, locations may be different for your system.
He asked how do do it from the firewall. The end result from the firewall is all packets are dropped on all ports with no response. The visiting IP just sits there wondering what happened to the packets that were sent. Plus, I do believe that hosts.deny only works on services run with the tcp wrapper.
Another way to stop access from certail IP addresses is to use the rout command: /sbin/route add -host 123.123.123.123 reject This should also work with all services. The dropped routes will be reset when you restart your server. This can be positive and negative. In case you shut out yourself from the server, it is good to know that a reboot may solve the probelm when your server is hosted in a datacenter
No. Route only works with IP addresses. Since this topic came up again, I prefer "DROP" over "REJECT" for the simple reason that if you are blocking an IP address they've had to have done, or tried to do something really bad to your system. I see no reason to be polite to them and tell them they've been rejected.
Yes, it does work on CIDR ranges. I have to ask, are you trying to block emails with this? That's usually the only reason to block a domain.com address.
No, i want to block a hacker, unfortunatley they have an dynamic ip, the only thing that doesnt change is there ISP
Ok, if someone is trying to hack into your system they are doing it on a specific port so follow my original instructions but change... /sbin/iptables -I INPUT -s ipaddress -j DROP to /sbin/iptables -A INPUT -p tcp -s ipaddress --dport ## -j DROP ## is the port you want to block. ipaddress can be the full CIDR for the ISP ie: xxx.xxx.xxx.xxx/16 Either way works, but if you block the specific port you still allow valid traffic from that ISP. Unless of course it's the mail port.
Hmm, it apears to be my router letting me down and not my server My router keeps breaking, i know the connection is fine becuase my modem works. Wishes router could ban ip. Thanks for your help anyway
