Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
.htaccess doesn't do anything to block the traffic requests, if you can't block at router level then you can block with iptables. I've a blog post on how to implement iptables blocking of a list of countries. It assumes you know what iptables are and how to implement a basic firewall.
If you're still spoofing or coming from a Chinese IP address then you'll have been blocked.....
Quote:
Originally Posted by My Blog Post
There are times when you’ll want to limit access and block whole countries. Why? Because there are times when it’s necessary.
Here’s a script that builds a script….
It downloads the IP ranges from www.ipdeny.com, works through a list of two letter country codes to create a bash script that will:
Delete an existing iptables chain.
Creates a new chain “BadCountry”.
Adds this to the top of the INPUT chain to pass anything on port 80 to the BadCountry chain.
Adds all the IP blocks in the relevant countries to the BadCountry chain with a reject/unreachable.
Feel free to adapt it to your needs.
(Oh, and you can also call the script with the parameter undo and it’ll delete the chain.)
Code:
#!/bin/bash
PARAM=${1}
if [ "${PARAM}" == "undo" ] ; then
iptables -D INPUT -p tcp -m tcp --dport 80 -j BadCountry
iptables --flush BadCountry
iptables -X BadCountry
else
echo $(date) IP Blocking GLOBAL START
#First call ourselves to undo (delete the chain)
${0} undo
#This is where the executable script that does the table update will live.
TABLESCRIPT=/root/scripts/countrytables.sh
#Change this to a folder you can write to
cd /root/ipblocks
#and delete any zone file tar/zip files
rm -f all-zones.tar.*
echo $(date) Download Countries START
wget "http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz"
tar -zxvf all-zones.tar.gz > /dev/null
echo $(date) Download Countries FINISH
echo $(date) Build Countries START
echo "#!/bin/bash" > ${TABLESCRIPT}
echo "iptables -N BadCountry" >> ${TABLESCRIPT}
echo "iptables -I INPUT -p tcp -m tcp --dport 80 -j BadCountry" >> ${TABLESCRIPT}
echo "iptables -A BadCountry -j RETURN" >> ${TABLESCRIPT}
for COUNTRY in hk cn in id kr my ph tw th vn pk ; do
awk {'print "iptables -I BadCountry -s "$1" -j REJECT --reject-with icmp-port-unreachable"'} ${COUNTRY}.zone >> ${TABLESCRIPT}
done
echo $(date) Build Countries FINISH
echo $(date) Updating iptables START
#Make our script executable
chmod 700 ${TABLESCRIPT}
#And now execute it
${TABLESCRIPT}
echo $(date) Updating iptables FINISH
fi
# Elvis Has Left The Server.
It's a bit complicated, but what you're trying to do is a bit complicated as you're looking to ban whole countries at tcp level.
I would advise that you need to check and try some iptables tutorials before use as a badly configured iptables firewall could block you from having remote access to your server.
Not to mention that using many "Deny from"s in an .htaccess is a huge resource waster.
Apache has to read that file for every file served. Whereas in a .conf file, it does not.
Firewall block keeps them from even wasting any further apache resources.
Thanks once again. I have started reading tutorials.
The Syn Flood attacks are, as you said, at the OS level, so banning them from Apache by using .htaccess is not very useful. So why does restarting Apache make all the SYN connections go away?
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever). They just want to take up our servers' resources. We won't accept such packages.
So why does restarting Apache make all the SYN connections go away?
Because it effectively "closes" port 80 and force closes any tcp connections to port 80.
Quote:
Originally Posted by noobie143
I posted a whole lot of lines like this covering Chinese ip ranges
iptables -A INPUT -s 1.0.1.0/24 -j DROP
into my /etc/sysconfig/iptables file
and did
service iptables restart
I also removed the .htaccess file I used earlier.
So far I can't see any SYN_RECV from China.
So what you've done is add a load of DROP rules to the INPUT chain. What my script does is similar. Mine downloads country IP ranges automatically, created a new chain that gets added to the "top" of the INPUT chain and only gets called for specific types of traffic (in my example only port 80) and also rejects the packet rather than drop it. Of course it would be very easy to change it to create DROP rules instead.
The reason I implemented my blocking in this way allows me to have my "static" iptables configuration and to generate the "BadCountry" chain dynamically. I can also run my script with the "undo" parameter to remove just the country blocking.
If you're happy with your method then that's the most important thing. Personally I'm lazy, I have my script run on a regular basis and don't need to manually create a lot of rules. ipdeny.com shows 5370 ip ranges for CN so manually adding that lot would take you a bit of time
ip2location.com offers an iptables ban file. It has about 5000 lines each of which is like this:
iptables -A INPUT -s 1.0.1.0/24 -j DROP
I want to upload it to my server, read each line and execute it from the command prompt. I am asking for the simplest way because I do not want to execute bash scripts that I do not understand.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.