2.How to block particular IP attack in linux server ?
Check your server utilization using TOP command. And use following command to list all the IP addresses connected to my server.
#netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
[user@serverA]$ netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
25 165.89.185.201
2 140.176.118.7
[user@serverA]$
From IP - 165.89.185.201 there are 25 connections opened. If you felt this is abnormal connection and if you want to block this IP then you can use below steps.
1.NULL ROUTE:
Let null route the IP, so that all incoming connections from the IP will be dropped or ignored.
You can also use following command to null route the IP (both command will do same action)
# route add -host 165.89.185.201 reject
or
#route add 165.89.185.201 gw 127.0.0.1 lo
2.netstat -nr to display all the routes, to make sure it is added into the route table.
#netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
165.89.185.201 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
3.Check all connected IP again, those attacker’s IPs are gone:
#netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
>Now you cant find that IP connections to server.
4. If you want you can delete the null route.
To delete existing null route IPs, uses route delete.
#route delete 165.89.185.201
0 Comments