Get APLawrence.com by RSS2005/05/01 blacklist unwanted ip addresses
On Linux, it's easy enough to add an iptables rule to blacklist a particular ip address. You can even automate the process based on certain criteria that you define. However, you don't necessarily want to leave an ip blacklisted forever, because it may be transient (a legitimate user may have that ip address tomorrow), or the condition that triggered your block may have been an error. The ip address may even have been spoofed, thus denying access to legitimate users.
There is a security tools bundle at http://www.apachesecurity.net by the author of Apache Security that can assist with this. It includes a command line perl script "blacklist" that adds entries to your iptables. To prepare for it, your regular iptables startup rules need to add a "BLACKLIST" chain like this:
iptables -N BLACKLIST
iptables -A INPUT -p tcp --dport 80 -j BLACKLIST
Then simply make sure that "blacklist start" runs at startup. I copied it to /sbin and added "/sbin/blacklist start" to /etc.rc.local. This is not a daemon; the startup just reads previously stored blocks from a data file and adds them to the BLACKLIST chain.
IP's are blocked for the duration you specify:
blacklist block 65.96.14.162 300
blocks that ip address for 300 seconds. However, as no daemon is running, there's nothing to unblock unless you run "blacklist unblock_stale" regularly. Therefore, how often you run that determines the lower limit of how long someone will be blocked. I have it running daily only, so any block could last up to 24 hours regardless of the duration set. You may want to run the unblock_stale more often. You can specifically unblock someone with "blacklist unblock <ip>" and clear all blocks with "blacklist clear".
This bundle also includes an "apache-protect" perl script that
can monitor apache status and automatically call blacklist when
suspicious activity is observed. To use that, you need to enable
the apache mod_status module:
# from httpd.conf
..
LoadModule status_module modules/mod_status.so
..
ExtendedStatus On
..
SetHandler server-status
Order deny,allow
Deny from all
Allow from 82.165.235.25
Allow from 65.96.14.162
This creates a special /server-status page, only visible to the ip addresses listed in "Allow from", that has extended Apache status information:
Apache Server Status for unixish.com
Server Version: Apache
Server Built: Nov 12 2004 10:10:20
_________________________________________________________________
Current Time: Friday, 22-Apr-2005 08:55:01 EDT
Restart Time: Thursday, 21-Apr-2005 13:31:56 EDT
Parent Server Generation: 8
Server uptime: 19 hours 23 minutes 4 seconds
Total accesses: 734 - Total Traffic: 1.1 MB
CPU Usage: u.2 s.29 cu35.21 cs0 - .0512% CPU load
.0105 requests/sec - 16 B/second - 1583 B/request
1 requests currently being processed, 8 idle workers
________W.......................................................
................................................................
................................................................
................................................................
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process
Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-8 1481 0/86/86 _ 5.08 600 0 0.0 0.13 0.13 82.165.235.25 zenez.com GET
/cgi-bin/scoprogfaq/faq?cmd=maintenance&secret=7ed92cede8b6
1-8 1482 0/88/88 _ 4.82 904 0 0.0 0.13 0.13 66.228.164.203 zenez.com GET
/tmp/scouw7faqz/cache/77.html HTTP/1.0
2-8 1483 0/87/87 _ 5.30 1004 0 0.0 0.14 0.14 66.249.71.67 zenez.com GET
/tmp/scoprogfaq/cache/68.html HTTP/1.0
3-8 1484 0/87/87 _ 3.93 720 0 0.0 0.12 0.12 82.165.235.25 stage.zenez.com
GET /cgi-bin/scoprogfaq/faq?cmd=maintenance&secret=fed3156b3781
4-8 1485 0/88/88 _ 3.70 937 0 0.0 0.13 0.13 66.228.164.193 zenez.com GET
/robots.txt HTTP/1.0
5-8 1486 0/86/86 _ 5.22 495 0 0.0 0.11 0.11 68.142.249.105 zenez.com GET
/tmp/ou8faqz/cache/125.html HTTP/1.0
6-8 1487 0/89/89 _ 5.45 21 0 0.0 0.16 0.16 u15181317.onlinehome-server.com
unixish.com GET /server-status HTTP/1.0
7-8 1488 0/87/87 _ 4.00 495 0 0.0 0.13 0.13 68.142.251.156 zenez.com GET
/robots.txt HTTP/1.0
8-8 4121 0/36/36 W 1.28 0 0 0.0 0.06 0.06 82.165.235.25 unixish.com GET
/server-status HTTP/1.0
_________________________________________________________________
Srv Child Server number - generation
PID OS process ID
Acc Number of accesses this connection / this child / this slot
M Mode of operation
CPU CPU usage, number of seconds
SS Seconds since beginning of most recent request
Req Milliseconds required to process most recent request
Conn Kilobytes transferred this connection
Child Megabytes transferred this child
Slot Total megabytes transferred this slot
_________________________________________________________________
SSL/TLS Session Cache Status:
cache type: SHMCB, shared memory: 512000 bytes, current sessions: 0
sub-caches: 32, indexes per sub-cache: 133
index usage: 0%, cache usage: 0%
total sessions stored since starting: 0
total sessions expired since starting: 0
total (pre-expiry) sessions scrolled out of the cache: 0
total retrieves since starting: 0 hit, 0 miss
total removes since starting: 0 hit, 0 miss
The "apache-protect" script processes this information and calls blacklist when indicated. Add apache-protect to cron:
* * * * * /sbin/apache-protect
It would definitely be a good idea to add your own ip address to apache-protect's whitelist:
# An overriding threshold list. The value -1 means never
# block. Any other value establishes a threshold for
# the given IP address.
%WHITELIST = ( "127.0.0.1" => -1, "65.96.14.162" => -1 );
It's easy to use "blacklist" for other conditions, too. I have code in my comments scripts that checks for spamming and refuses the post if it detects unreasonable content; I may also add a call to "blacklist" under such conditions. If a particular site seems to be regularly appearing in your spam email filters, they may as well be blocked permanently. That can be done by adding ip's to the blacklist data file "/etc/blacklist.dat " at startup, perhaps just by maintaining another file of "always block" ip's that you iterate through with "blacklist" at startup. That's simple to add to the blacklist script itself.
Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)
Installation and light training Boston and New England
Reliable and experienced, punctual and professional.
| Views for this page | ||||
|---|---|---|---|---|
| Today | This Week | This Month | This Year | Overall |
| 7 | 7 | 233 | 3,823 | 16,301 |
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
http://thatitguy.com Business networking servers, Linux and Unix experts. In business since 1997! Windows and Exchange to Samba and Scalix migration experts.
http://echo3.net/ Unix/Linux Custom Applications, Web Hosting, C/C++ Programming Courses
http://www.breakthru.com.au SCO (Openserver and Unixware), Unix, Solaris and Linux Consulting services including: Secure Networking Solutions; Linux based Firewalls; Backup Solutions; Secure Home to Office Network Setup; Phone, Remote and On-Site Support available - Satisfaction Guaranteed!
- Nov 23 13:01
I need coffee before I will even open the door, never mind go out there. That's completely non-negotiable, by the way. - Nov 23 12:56
It's COLD and my wife wants us to go work in the yard. Do you think I can have her arrested for cruelty? Probably not as she's going too.
Related Posts
Add your comments