How to block a single ipaddress using TCP Wrappers
 

Dear All
Today i found in my apache logs that my server was flooded with a single ipaddress in access.log.I could find my server is keep on accessed the remote server and there accessed url are been reflecting on my access log of my server.Any suggestion how the accessed url of remote server reflect on my server apache access log

http://clientip/~admin/a-poster/proxy.php HTTP/1.1" -- Its shows my server ipaddress.


Thus i tried out blocking of server ipaddress using tcp wrapper

vi /etc/hosts.deny

ALL:REMOTE IPADDRESS

But i could found the server ipaddress in my apache access.log

Forget apache, you don't want the connection to get tor your application layer if it's a security issue. You would want to block this on the OS or network layer.

For iptables, here ya go:

Just run those commands as root, replace the 202.54.20.22 with the IP and BAM!

The good thing about this is it's a drop rule, different from a reject rule in the fact that your server sends no response at all to the originating connection, a reject will send a response back telling them its rejected. This indicates the server is still up to the remote attacker and they keep trying to get in. If it's a drop, they get no responses, connection just times out as if the IP of your server had changed or the server itself is down.

Just a follow up when I am referring to layers I am referring to the OSI Model: http://www.webopedia.com/quick_ref/OSI_Layers.asp


The lower down in the layers you get the more you are isolating your system/application. So if you prevent it on layer 1, the physical layer, with a hardware firewall that is outside your internal network it would be the most advised solution. OSI model is something good to look over if you've never heard of it.