how can i manually block ip address

[wazburn]

i already have the block ip button from the brute force attack.

now i want to block ip address logged from slowloris, how can I manually add these ip address to block from iptables?

i have these ip httpd error logged message from slowloris
[warn] Rejected, too many connections in READ state from 1.2.3.4.


These bunch of ip address is playing everyday. so i need to block it.

 

[Aaron_E]

Use something like fail2ban and create yourself a ruleset for it for slowloris (if there isn't one already). If you just want to block the specific ip's you've got now you can use something like:
iptables -A INPUT -s 1.2.3.4 -j DROP

Don't know the exact syntax for iptables and it might be easier to create 'blocklists' and assign 1 rule to block all ip's in such a list. In BSD's PF it's called 'tables', iptables surely will have something like it as well.

 

[wazburn]

thanks,

i hope there could be also a button to block ips from slowloris to make it easy,

now what I did is
iptables-save > /block.ip.fw

then edit the file block.ip.fw and added the ips "iptables -A INPUT -s 1.2.3.4 -j DROP"

services iptables restart

then I restore
iptables-restore < /block.ip.fw

 

[wazburn]

im blocking ip address that mod_antiloris is reporting from apache error log.

however, these attackers just change IPs and doing the same thing over and over again, I already had mod_antiloris installed. but when these attackers do a slowloris attack my server load average gets more than 70.0 with too many apache request, it gets back to normal load when I block IPs to iptables manually.

im not sure if the mod_antiloris is working or not.


any suggestion or solution with this???