Question about iptables

R

roarkh

Verified User
Joined
Aug 30, 2005
Messages
139
Location
Bellingham, WA
Hello, I'm wondering if someone can enlighten me, we are running DirectAdmin on a CentOS server and have been getting hit by a lot of brute force attacks lately and I am trying to permanently block some IP Ranges from connecting to our server, after some searching on the internet I found the iptables commands that do seem to block the traffic...

For example, to block a class C IP Range I'm using something like...

Code: 
iptables -I INPUT -s xx.xx.xx.0/24 -j DROP

or for a single IP

Code: 
iptables -I INPUT -s xx.xx.xx.xx -j DROP

That works fine for a while but it seems as though iptables must get restarted automatically sometimes and when that happens the rules I added go away.

Does anyone know the command to make those changes permanent, or should I be blocking these ips some other way? I've searched the internet but what I'm finding seem inconsistent. For instance, I've seen that perhaps I could use "iptables-save > /etc/sysconfig/iptables" but when I look in /etc/sysconfig/ I don't see that file there at all so I'm a little worried about trying that. (I do have files named ip6tables-config and iptables-config in /etc/syscconfig but no file named just iptables).

CFS/LFD is installed but it only blocks so many servers before deleting the oldest ones to make way for more new ones, I'm getting hit by so many attempts these days that that is not good enough for blocking the few servers that seem to never let up so I'd like a more permanent way to block those.

Thanks in advance for any help anyone can provide.
 
after some searching on the internet I found the iptables commands that do seem to block the traffic...
Click to expand...
Since you searched on internet, I find it strange you did not encounter the same option which is possible with CSF exactly the same way, since you have that installed.
Code: 
csf -d xx.xx.xx.0/24

but it only blocks so many servers before deleting the oldest ones to make way for more new ones,
Click to expand...
Which is logically. Iptables lines also use resources. To prevent your server getting slow by using too many block lines, this is done.
However, if you had a look in your csf.conf you would have seen that you can expand the amount yourse.
You can raise the DENY_IP_LIMIT and DENY_TEMP_IP_LIMIT to a higher value if needed.

Or block ranges like in my example, if you want that, or even block complete country's via CSF. You don't need loose iptables lines with CSF installed.

Some little advise. We all have sometimes we get flooded with attacks or bruteforces. Take care your Deny_ip limit settings are not to big and don't block them forever. It's no use at all and only eats system resources, especially if the attacks are coming from botnets.
Just let csf handle most of them and if they get overwritten, it be so, it will stop or get less after some time. You can't block everyting either way.
 
Thank you for your reply Richard. I have already increased the number of blocks allowed in csf/lfd but there is one subnet that I've been getting attacked from now for months, and I only really wanted to permanently block that one, in most cases I am totally OK with csf/lfd letting them rotate through. The reason I didn't think of using csf/lfd for this one was because I assumed it would just get added to the csf/lfd block list and then after it rotated through it would become unblocked again, which is what I am trying to avoid. Are you saying that if I use the command you recommended, csf -d xx.xx.xx.0/24, that that will result in a permanent and not a temporary block? If so I'll give that a shot, but if that block is not permanent, I'd still like to find a way to permanently block ip ranges as well.
 
As said, it's no problem. You can also set the limit to 0.
Set to 0 to disable limiting
Click to expand...
In that case you can make as much as you want and they won't be rotated, you only have to watch that your servers and network is not slowing down at a certain moment.

You can check if you just give "csf" as command, you will see all commandline options.

csf -d = deny (so permanent block), I also use this for permanent block of some ip's.
-d, --deny ip [comment]
Deny an IP and add to /etc/csf/csf.deny (so this is permanent block)
-td, --tempdeny ip ttl [-p port] [-d direction] [comment]
Click to expand...
 
And don't forget, CSF is just an extended kind of iptables shell... so everything you can do with iptables you can do with csf too. ;)
 
After digging a bit deeper through the CSF/LFD readme file I think some of the above information is not quite correct, I believe that using "csf -d xx.xx.xx.0/24" will not permanently block the ip range, it just adds it to csf.deny just as if you had blocked it using the csf/lfd interface that gets installed into DirectAdmin. To make the block permanent you can add "do not delete" someplace in the comment field for the block, something like this...
Code: 
csf -d xx.xx.xx.0/24 Added because I don't like them, do not delete
This information can all be found by reading the file /etc/csf/readme.txt, which I probably should have done before I started this thread.
 
I think some of the above information is not quite correct
Click to expand...
In fact there are 2 options. I only gave the option you asked for, which might have caused a bit of confusion.

Since my answer was a combined answer it was quite correct when used like that.
If you disable the limits -and- use csf -d (like both stated in my reply), the csf.deny file will not be flushed or overwritten anymore unless you do that manually. So used like that, the block is permanent too, the "do not delete text" is pointless in that case, so it was correct information.

If you do -not- disable the limits, it's another situation.
In that case the only way to have a permanent block is using the "do not delete" text. However, the question is, if that is useful for what you want. Because in that case it will only fill up the csf.deny file until the limit is reached.
And then you still have to either increase the limit or disable the limit. ;)

It's ofcourse always wise for specific things to dig deeper in the manual.
 
Edit in csf webgui or as root, /etc/csf/csf.deny

The phrase "do not delete" does the trick.
Code: 
82.94.176.128/26 # Spider Wise-Guys do not delete
82.94.178.128/27 # Spider Wise-Guys do not delete
82.94.254.32/27 # Spider Wise-Guys do not delete
87.233.222.208/29 # Spider TraceBuzz do not delete
87.233.193.208/28 # Spider TraceBuzz do not delete

Edit: Just noticed Richard also mentioned "do not delete".
 
Last edited:
Wanabo said:
Edit in csf webgui or as root, /etc/csf/csf.deny

The phrase "do not delete" does the trick.
Code: 
82.94.176.128/26 # Spider Wise-Guys do not delete
82.94.178.128/27 # Spider Wise-Guys do not delete
82.94.254.32/27 # Spider Wise-Guys do not delete
87.233.222.208/29 # Spider TraceBuzz do not delete
87.233.193.208/28 # Spider TraceBuzz do not delete

Edit: Just noticed Richard also mentioned "do not delete".
Click to expand...

You have always to ask yourself ip adresses Spider and BOTS in IP table is this a wise thing to do.

While they change everytime these IP are to often blocked, so you need a good Documentation for these and also keep an eye on changing ip's from them! ;)

Better is if then in a host file for the agent or so, yes they could change that to, but it don't hurts while nor risk blocking wrong ip's when other company's are going to use these after change.

I alway thought IP tables are for ip adresses that's has to be there for long/ longer time
Otherwise you solve it in Hosts file ore htaccess, and ofcourse for the blocking table (hack/brute) not permanent in csf
 
Last edited:
In this case it is the right course of action. They use different UA's for their spiders and some of the ip addresses in this range are used as a starting point for their customers. What I posted were examples of data-mining companies who make money from my data without my consent.
 
roarkh said:
Hello, I'm wondering if someone can enlighten me, we are running DirectAdmin on a CentOS server and have been getting hit by a lot of brute force attacks lately and I am trying to permanently block some IP Ranges from connecting to our server, after some searching on the internet I found the iptables commands that do seem to block the traffic...
Click to expand...

I think if you want to stop brute force attacks, you should install csf or Fail2ban to help you.

Here are tips to block brute force attacks: https://forumweb.hosting/13027-tips-to-block-brute-force-attacks.html

Hope that helped.
 
@Tommyhara: I think you should read thread before you comment. This solution is already mentioned and improved.
 
You must log in or register to reply here.
Back
Top