Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Okay, so I have a small VPN and I received an abuse report due to port scanning on a website. I wish to block the website entirely from ever being accessed again to prevent this problem.
How would I go about blocking the website?
I have tried a few things that don't seem to work so I made an account here, thank you.
host www.facebook.comwww.facebook.com is an alias for star.c10r.facebook.com.
star.c10r.facebook.com has address 31.13.71.1
star.c10r.facebook.com has IPv6 address 2a03:2880:f012:1:face:b00c:0:1
star.c10r.facebook.com mail is handled by 10 msgin.vvv.facebook.com.
Facebook itself actually has AS32934 which right now contains 45 IP ranges. That's not to say they use them all but it also doesn't say they won't ever. Also it doesn't take any distributed ^.*whatever.*$ networks usage into account. Some things are better blocked on multiple levels and including a filtering proxy.
Okay, so I have a small VPN and I received an abuse report due to port scanning on a website. I wish to block the website entirely from ever being accessed again to prevent this problem.
Quote:
To drop all packets to the website, you can insert a rule like this, where x.x.x.x is the IP address returned by host.
Code:
host www.example.com
iptables -I INPUT 1 -d "x.x.x.x" -j DROP
Perhaps I misread, but I believe the OP is asking to prevent packets being sent to the address, not received
While x.x.x.x wouldn't be able to connect to you, I think someone using the VPN could connect to website x and continue port scanning.
Code:
iptables -I OUTPUT 1 -d "x.x.x.x" -j REJECT
It may serve to reject the packet as well, to let the user know that this behaviour is being restricted (or at least know that it's blocked)
Additionally, the OP says the abuse report was from a port scan, is there any reason to not just reject all traffic to any ports except 443,80 for this website?
It's a little more complicated but I wouldn't want to be claimed for censorship for the other users (just a thought)
If it's a complex site and uses more ports, this probably won't work but for a simple site it could.
If blocking at a firewall for a LAN, then the rule should go in the FORWARDING chain. Also add it to the OUTPUT chain to block packets from the local machine.
Although you inquired about an iptables based block, you may open /etc/hosts file in your favorite text editor as root and redirect the domain name to a non-existant IP address or (if you are particularly evil) redirect the domain to the ip address of a different server that you may or may not have complete control over.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.