LinuxQuestions.org - Blocking an IP after multiple attempts

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Blocking an IP after multiple attempts (https://www.linuxquestions.org/questions/linux-security-4/blocking-an-ip-after-multiple-attempts-4175683688/)

seamore

10-15-2020 12:02 PM

Blocking an IP after multiple attempts

Recently in reviewing http access log I discovered a hack attempt where a script was trying to access random xxx.php files that do not exist on my server. There were up to 4 attempts per second.

I realize that it is not very effective to block an IP because many times hackers use a proxy server.

Is it possible to configure or write a script that would temporarily block an IP address for say an hour it there are http requests coming in a second or less apart?

Turbocapitalist

10-15-2020 12:06 PM

You can write an NFtables rule for that or, with legacy tools, make one in IPtables instead.

But first you might look at both SSHguard and Fail2ban. Those are quite tunable and already do much of what you ask.

seamore

10-15-2020 12:17 PM

Great!
Will look into the apps you suggest.
Thanks

tshikose

10-15-2020 02:49 PM

Hi,

I use fail2ban exactly for that.
So, I do accept to affect legitimate and good users that share a proxy with a rogue user.

All times are GMT -5. The time now is 06:33 AM.