Site Network: Personal | Professional | Photography

Technical Blog

This blog will contain content related to Java, Seam, Security, my sites and projects, as well as other technical subjects I am interested in.

Comments and questions are welcome!

«
»

How to block an IP in Linux

I run Debian on my server, and I often find that my server is being attacked by other computers. Brute force SSH attacks, viruses scanning for the ability to spread, things like that. I’ll go into the SSH brute force defenses in a later post, but for now I’ll cover how to easily block an IP address.

First, I’ll assume you are already using iptables. If you need help setting that up, use Google, Debian comes with it out of the box.

I have a small script called “block” which looks like this:

#!/bin/bash
sudo iptables -I INPUT -s $1 -j DROP
sudo bash -c "iptables-save > /etc/network/iptables.save"

Whenever I find a “bad” IP in my logs or notifications, I just run:

block bad.ip.add.18

Substituting the bad ip for that nonesense above. This adds it to the list of IP address which iptables will simply drop any incoming packets from, and saves the in memory iptables configuration, so that it is preserved through reboots.

Then in your /etc/network/interfaces file, just add this at the bottom:

post-up iptables-restore /etc/network/iptables.save

This entry was posted on Sunday, September 16th, 2007 at 10:20 pm and is filed under Linux, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

6 Responses to “How to block an IP in Linux”

  1. IP Guy says:
    December 28, 2007 at 5:50 am

    You can get country IP blocks freely and use in your firewall as well.

    Reply
  2. Using IPTables to Prevent SSH Brute Force Attacks | Devon Hillard Tech Blog says:
    May 24, 2008 at 10:11 pm

    [...] also recommend using the script in my post on blocking IP addresses using iptables to deal with any persistent folks, or people poking too hard on your web site, or other [...]

    Reply
  3. rhalff says:
    September 17, 2009 at 5:16 am

    Apparently you can also do something like:

    ip ro add blackhole 87.106.97.229

    Reply
  4. jd says:
    July 1, 2010 at 1:03 pm

    How would you go about adding these blocks to a separate log file? Say /var/log/iptables.log.

    Thanks.

    Reply
    • Devon says:
      July 1, 2010 at 1:09 pm

      If you use this method all of the blocked IPs end up in this file: /etc/network/iptables.save so you can easily see them. If you’re asking more generally how to get firewall/iptables log entries segregated into their own log then I recommend using syslog-ng and setting things up a bit like this:

      …..
      destination firewall { file(“/var/log/firewall.log”); };
      ……
      filter f_firewall { match(“Firewall”); };
      ……
      filter f_kernel { facility(kern) and not filter(f_firewall); };
      ……
      log {
      source(s_sys);
      filter(f_firewall);
      destination(firewall);
      };

      Reply
  5. JD says:
    July 1, 2010 at 1:29 pm

    Thanks for the quick reply!
    Sorry, I was reading many of your articles and ended up posting that comment on the wrong article; it was meant for “Using IPTables to Prevent SSH Brute Force Attacks”.

    Please delete it if you wish, I’ll repost in the correct one if that is Ok.

    Thanks again.

    Reply

Leave a Reply