Technology Blog

Linux Banning IPs

0

Cpanel has a Deny Manager for banning IP’s on each individual account/site. Which is great if you have a handful of domains hosted on the box. But, maybe you have one domain with 100+ subdomains setup as their own account within cpanel or a ton of domains in general. So you need a way to ban an IP quickly across the whole servers server (and it’s not in Cpanel).

If you don’t opt for a better route, this mean means going into every single account to block the IP. Even if you did go to each account, it doesn’t seem to block Cpanel login attempts via requests using your servers IP. Not good when you want a quick short term fix to a botnet DOS attack on a production server. The way to get around that is to use iptables or hosts.deny.

So if you find this in your logs:

  • 217.147.83.21 – – [02/Jun/2014:21:03:21 -0500] “GET /usercp HTTP/1.1″ 404 – “-” “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)”

You can ban the IP running this at the command line:

  • iptables -I INPUT -s 123.123.123.123 -j DROP
  • iptables -I INPUT -s 11.11.11.11 -j DROP

For more info about iptables, see: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-fireall-ipt-act.html

The only issue you’d might have here is a system restart will clear the IP’s you just put in. You can always add those lines to your /etc/rc.d/rc.local so that they’re there all the time. But at that rate, put some time into getting a system in place like fail2ban, DenyHosts, or CSF/LFD. Worst case, if you have cpanel on the server then it is often packaged with cPHulk (login as the root/admin user).