How to block ip addresses with iptables

I have an ip address attacking my server or taking up all my httpd connections so none of my sites work.

In order to correct this you will want to use the netstat -n command to see the ip addresses connected to your server. Once you have the ip address you want to block you can use the following command to block them from accessing your server using iptables

iptables -I INPUT 1 -s IP.ADD.RES.SS -j DROP

-I INPUT 1 means to insert the rule at the top of the INPUT table (which means it will get looked at first)

-s IP.ADD.RES.SS is the source address of the packets we want to deal with

-j DROP means dump the packets into the void, and forget they ever happened.

DoS: looking at open connections

Here is a command line to run on your server if you think your server is under attack. It prints our a list of open connections to your server and sorts them by ammount.

RedHat: netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

BSD: netstat -na |awk ‘{print $5}’ |cut -d “.” -f1,2,3,4 |sort |uniq -c |sort -n

You can also check for connections by running the following command.
netstat -plan | grep :80 | awk ‘{print $4 }’ | sort -n | uniq -c | sort

These are few step to be taken when you feel the server is under attack:
——————————————————————————-
Step 1: Check the load using the command “w”.
Step 2: Check which service is utilizing maximum CPU by “nice top”.
Step 3: Check which IP is taking maximum connection by netstat -anpl|grep :80|awk {‘print $5’}|cut -d”:” -f1|sort|uniq -c|sort -n
Step 4: Then block the IP using firewall (APF or iptables “apf -d < IP>” )
——————————————————————————-

You can also implement security features in your server like:

1) Install apache modules like mod_dosevasive and mod_security in your server.
2) Configure APF and IPTABLES to reduce the DDOS
3) Basic server securing steps :
===============================
http://www.linuxdevcenter.com/pub/a/linux/2006/03/23/secure-your-server.html?page=1
===============================
4) Configure sysctl parameters in your server to drop attacks.

You can block the IP which is attacking your server using Ipsec from command prompt.
=========
>> netsh ipsec static add filterlist name=myfilterlist
>> netsh ipsec static add filter filterlist=myfilterlist srcaddr=a.b.c.d dstaddr=Me
>> netsh ipsec static add filteraction name=myaction action=block
>> netsh ipsec static add policy name=mypolicy assign=yes
>> netsh ipsec static add rule name=myrule policy=mypolicy filterlist=myfilterlist filteraction=myaction
========

Rootkit help

RootKit — Spyware and Junkware detection and removal tool

Go to Rootkit Hunter homepage, and download the latest release. http://www.rootkit.nl/projects/rootkit_hunter.html

## Get the latest source and untar
# cd /usr/src/utils
# wget http://downloads.rootkit.nl/rkhunter-<version>.tar.gz
# tar xfz rkhunter-*.gz
# cd rkhunter
# ./installer.sh
## run rkhunter
# rkhunter -c
Setup automatic protection on System Reboot
## Edit /etc/rc.d/rc.local
##      (or similar file depending on Linux version)
## Add the following lines at the bottom of the file

/usr/local/sbin/apf –start
/usr/local/ddos/ddos.sh -c

Preventing DDOS Attacks with Mod_Evasive

Denial of Service attacks are among the oldest yet most common form of attacking a server. Most system administrators have had to deal with DOS attacks taking down a server, router, or other networking device and know how difficult they can be to prevent.

Mod_evasive is an Apache module that limits the number of Apache connections to the server at once, and blocks an offending IP for a specified amount of time. This tutorial will show you how to install mod_evasive on your system.

1. Install:

wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -xvzf mod_evasive_1.10.1.tar.gz
cd mod_evasive_1.10.1
/usr/local/apache/bin/apxs -cia mod_evasive.c

2. Configure:

Once the module is compiled, add these lines to httpd.conf and stop Apache completely before starting it up again:

<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 50
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600
</IfModule>

Below is an explanation of these settings:
DOSHashTableSize – Size of the hash table. The greater this setting, the more memory is required – faster

DOSPageCount – Max number of requests for the same page within the ‘DOSPageInterval’ interval

DOSSiteCount – Max number of requests for a given site, uses the ‘DOSSiteInterval’ interval.

DOSPageInterval – Interval for the ‘DOSPageCount’ threshold in second intervals.

DOSSiteInterval– Interval for the ‘DOSSiteCount’ threshold in second intervals.

DOSBlockingPeriod – Blocking period in seconds if any of the thresholds are met. The user will recieve a 403 (Forbidden) when blocked, and the timer will be reset each time the site gets hit when the user is still blocked.