How to block an IP in Linux

I run Debian on my server, and I often find that my server is being attacked by other computers. Brute force SSH attacks, viruses scanning for the ability to spread, things like that. I’ll go into the SSH brute force defenses in a later post, but for now I’ll cover how to easily block an IP address.

First, I’ll assume you are already using iptables. If you need help setting that up, use Google, Debian comes with it out of the box.

I have a small script called “block” which looks like this:
[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][code]
#!/bin/bash
sudo iptables -I INPUT -s $1 -j DROP
sudo bash -c "iptables-save > /etc/network/iptables.save"
[/code]

Whenever I find a “bad” IP in my logs or notifications, I just run:

[/fusion_builder_column][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][code]block bad.ip.add.18[/code]

Substituting the bad ip for that nonesense above. This adds it to the list of IP address which iptables will simply drop any incoming packets from, and saves the in memory iptables configuration, so that it is preserved through reboots.

Then in your /etc/network/interfaces file, just add this at the bottom:

[/fusion_builder_column][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][code]post-up iptables-restore /etc/network/iptables.save[/code][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]


Posted

in

,

by

Tags:

Comments

21 responses to “How to block an IP in Linux”

  1. IP Guy Avatar

    You can get country IP blocks freely and use in your firewall as well.

  2. […] also recommend using the script in my post on blocking IP addresses using iptables to deal with any persistent folks, or people poking too hard on your web site, or other […]

  3. rhalff Avatar
    rhalff

    Apparently you can also do something like:

    ip ro add blackhole 87.106.97.229

  4. jd Avatar
    jd

    How would you go about adding these blocks to a separate log file? Say /var/log/iptables.log.

    Thanks.

    1. Devon Avatar

      If you use this method all of the blocked IPs end up in this file: /etc/network/iptables.save so you can easily see them. If you’re asking more generally how to get firewall/iptables log entries segregated into their own log then I recommend using syslog-ng and setting things up a bit like this:

      …..
      destination firewall { file(“/var/log/firewall.log”); };
      ……
      filter f_firewall { match(“Firewall”); };
      ……
      filter f_kernel { facility(kern) and not filter(f_firewall); };
      ……
      log {
      source(s_sys);
      filter(f_firewall);
      destination(firewall);
      };

  5. JD Avatar
    JD

    Thanks for the quick reply!
    Sorry, I was reading many of your articles and ended up posting that comment on the wrong article; it was meant for “Using IPTables to Prevent SSH Brute Force Attacks”.

    Please delete it if you wish, I’ll repost in the correct one if that is Ok.

    Thanks again.

  6. Qoalu Avatar

    Hallo,

    I created a file in /home called block, ran it with “block X.X.X.X” and “./block X.X.X.X”. Neither works. What am I doing wrong.

    Let’s say I add the ip manually to the /etc/network/interfaces like this:

    iptables -A INPUT -s X.X.X.X -j DROP

    When will the directive activate, do I need to restart the interfaces?

    Regards, Qoalu.

    1. Devon Avatar

      Qoalu,

      you created the “block” file and it’s contents are the shell script at the top of this post? Are you sure it’s not working? The iptables commands should take effect immediately when called manually or via my script above. If you add the iptables command to the interfaces file you will need to bounce the interface, or you can just run the command yourself manually.

      Devon

      1. Wolf Halton Avatar

        chmod +x
        to make it executable?

  7. Richard Avatar
    Richard

    Qoalu,

    If you have not already figured this out, ensure that you made the script executable: chmod 755 ./block

  8. Richard Avatar

    Works for me. Just what I was looking for.

  9. Mark Avatar
    Mark

    Just wanted to add that on RedHat based systems, you can do that last little bit of saving the configuration for use on reboot just using the init scripts, i.e.

    /etc/init.d/iptables save

    which will save the current configuration to the file /etc/sysconfig/iptables, which is always used to restore on reboot.

    i.e. the block script would be (either run as root or with a sudo command):

    #!/bin/bash
    iptables -I INPUT -s $1 -j DROP
    /etc/init.d/iptables save

    and then there is no need to do the equivalent of the line in the /etc/network/interfaces file (which doesn’t exist in RedHat based systems).

  10. Ryan Avatar

    Running the script in Debian Squeeze results in this:

    iptables v1.4.8: host/network `13.0.782.220′ not found
    Try `iptables -h’ or ‘iptables –help’ for more information.

    1. Devon Avatar

      Ryan,

      that’s not a valid IP address… The .782. part must be wrong, the maximum value of any of the quartets is 255.

  11. Wolf Halton Avatar

    script needs >> (append) instead of > (redirect)
    The way you have it written, it will overwrite the iptables.save file every time you use block.

  12. Ed Avatar

    Thank you for such a nice tutorial.

    I just wrote a different kind of tutorial on how to set up Arno IPTABLES firewall, which of course allows to block IPs.
    May be it may help someone to setup his own firewall based on IPTABLES.
    You can find some examples for a mail server and for a Proxy server using SNAT and port forwarding.
    The location of my tutorial is here:

    http://cosmolinux.no-ip.org/raconetlinux2/arno_iptables_firewall.html

    I wish it is useful to someone.

  13. Rob Avatar
    Rob

    Nice script! I added a little command just to instantaneously kill the connection from the host that’s going to be blocked. The tool is called “cutter” and is easy to use, just give the hostname or an IP address as argument.

  14. […] source : How to block an IP in Linux […]

  15. Zane Avatar

    Thank you for this article, I really had some problems with some guys who were trying to connect to my root by bruteforce. This really saved my day :)

  16. zee Avatar
    zee

    Thanks for the great script, saved my day as well.

Leave a Reply to Richard Cancel reply

Your email address will not be published. Required fields are marked *

PHP Code Snippets Powered By : XYZScripts.com