Blocking an IP address

From CPanelDirect

Some DOS attacks ands floods can be blocked server side. This is generally if they are under 50 mbps and the server load is less than 30. There are differences in FreeBSD and Linux in respect to blocking dos attacks.

Contents 1 Finding Attacks 2 Blocking Attacks On Linux 3 Blocking Attacks On FreeBSD 4 Alternatives to iptables and ipfw 5 Automatically blocking attacks 6 Unblocking an IP

Finding Attacks

Using netstat which is available on Linux or FreeBSD floods can be found. The admin script

/admin/showallipconnection. 

To run any of the /admin commands you need to have admin scripts installed

Can be run to show the connection count per ip, in order of smallest to most. This works on both FreeBSD and Linux. You can look at the source if you want to see the exact netstat command used. Its usually netstat -an with a lot of sorts and greps.

Generally speaking you can assume an IP with more than 100 connections is flooding the server.

Blocking Attacks On Linux

Linux uses iptables and will be available on all centos servers by default. On most other Linux distros it is also available. An example way to block a connection with iptables is as follows:

iptables -I INPUT -s 4.2.2.2 -j DROP

This blocks the IP 4.2.2.2 from sending traffic to the server. To block the server from sending traffic to the same IP run:

iptables -I OUTPUT -s 4.2.2.2 -j DROP

Blocking Attacks On FreeBSD

FreeBSD uses ipfw as a firewall. To see if ipfw is available run:

ipfw list

The output should look as follow:

65535 deny ip from any to any

Assuming you do not get an error then and the above line then ipfw is available. To block an IP run:

ipfw add $rule deny ip from 4.2.2.2 to any

Alternatives to iptables and ipfw

Using the route command can be an alternative to ipfw or iptables. Only do this if one of these is not available. On Linux the command is:

/sbin/route add -host 4.2.2.2 reject

On FreeBSD the command is:

/sbin/route add -net 4.2.2.2 -netmask 255.255.255.255 127.0.0.1 -blackhole

Automatically blocking attacks

The admin script /admin/autoblockip can be used to automatically block attacks. It always works on centos, should work on most linux distros and will work on FreeBSD if ipfw is available.

To use it run

/admin/autoblockip -r 100

Where -r means real and 100 is the connection amount to be reached with out blocking. If you run this with out -r it will show what would have been blocked. By default it blocks at 75.

Unblocking an IP

To unblock an IP run

/admin/unblockip ip.address

On linux this uses iptables and is just calling

iptables -D INPUT -s 4.2.2.2 -j DROP