Ok, so here's the thing. It's a bit complicated, I gues.
I have a http server and I have many connections (over 1000 connections per day) to it on port 80. Sometimes the http server dosen't work no more 'cause there are some IP's that access my server with more than 15 connections per second.
The chain INPUT has the default policy to accept any connection.
I did:
iptables -I INPUT -s bannedip -p tcp --dport 80 -j DROP
This works fine, I have banned 5 ip's so far and the http server is working fine now, it dosen't block no more. But I have another problem. On the same server which is running the http server I have a ftp server (vsftpd) and again, I have many connections to the ftp server (tons of connections) and it's like... unconfortable for me to ban them 'cause on ftp server there are other banned IP's than the banned http IP's and after a couple oh hours the ip is changing and when i'm not at home, I can't block any ip's no more, and the server is blocked.
I thought abnout having the chain INPUT policy deny / reject as default, but that can't be done 'cause then I will have to allow all ip's for http port (80) and then if I get over 15 connections per second from an IP I can't block it no more 'cause I already allowed 0/0 ip's on port 80.
So what can be done ?
I saw on the internet that some programs (i'm not sure about vsftpd) have on the *.conf this thing:
AuthName "Site Administration"
AuthUserFile /home/user/askapache.com/.htpasswd
AuthType basic
Require valid-user
Order deny,allow
Deny from all
Allow from (my LAN IP)
Satisfy Any
Forgot to tell that I ONLY need ftp acces only from my LAN not WAN.
So, is there a way that I could deny some IP's for port 21 not from iptables but from the configuration of the vsftpd ?
Is that example good enough ? DOes it work if I write that information there ? OMG i'm so stupid... why do I have to ask, I can test that myself. rotfl...
Oh, well... in case it dosen't work, i'm like... waiting for an answer here, or something.