ocsurf
asked on
Ban Ip dynamically
I'm trying to find a way to ban ip address dynamically. After an attempted XSS attack i would like to ban the user from accessing the site. Anybody have any ideas? Thanks
Info :
Fedora, PHP 5, MySQL 5.0.27
Info :
Fedora, PHP 5, MySQL 5.0.27
caterham_www
What about mod_security for apache? http://www.modsecurity.org/projects/modsecurity/apache/index.html
When you say "dynamically" do you mean automatically ban IP addresses that try to access a specific URL? Or do you mean banning that specific IP address?
Either way you can create a script that adds an iptables rule to ignore anything from the IP address. The difference would be how you call the script, in scenario 1 you would call it from a system startup script and in the second one you could have a PHP script on that URL that calls the script to ban the IP address completely.
Blocking at the IP level makes sure that no traffic from that IP address will ever be seen by higher level applications such as Apache etc., and to the attacker it will appear as if your server has disappeared completely.
For example, for blocking all traffic from IP address 1.2.3.4, the command could be:
iptables -I INPUT -s 1.2.3.4 -j DROP
This would instruct the kernel to drop any IP packets from 1.2.3.4 as soon as it is received.
If you want to learn more about iptables you can start here:
http://www.netfilter.org/documentation/index.html#documentation-faq
Either way you can create a script that adds an iptables rule to ignore anything from the IP address. The difference would be how you call the script, in scenario 1 you would call it from a system startup script and in the second one you could have a PHP script on that URL that calls the script to ban the IP address completely.
Blocking at the IP level makes sure that no traffic from that IP address will ever be seen by higher level applications such as Apache etc., and to the attacker it will appear as if your server has disappeared completely.
For example, for blocking all traffic from IP address 1.2.3.4, the command could be:
iptables -I INPUT -s 1.2.3.4 -j DROP
This would instruct the kernel to drop any IP packets from 1.2.3.4 as soon as it is received.
If you want to learn more about iptables you can start here:
http://www.netfilter.org/documentation/index.html#documentation-faq
what's wrong with .htaccess in the root directory?
#block all server access
order allow,deny
deny from 84.19.167.33
deny from 67.191.101.220
allow from all
#block all server access
order allow,deny
deny from 84.19.167.33
deny from 67.191.101.220
allow from all
ASKER
Example :
I'm using php-ids.org to detect any attacks. It stops the attach but doesn't ban the ip address. I have to manually use iptables.
I like ThomasHorsten's idea and have to read more about mod_security.
I'm using php-ids.org to detect any attacks. It stops the attach but doesn't ban the ip address. I have to manually use iptables.
I like ThomasHorsten's idea and have to read more about mod_security.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.