homepage Welcome to WebmasterWorld Guest from 54.205.105.23
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
IPtables correct usage help
willeffects

5+ Year Member



 
Msg#: 3586938 posted 11:17 am on Feb 28, 2008 (gmt 0)

Hello Group,

Every night from around 8pm to 5am PST I get slammed from Asia Pacific network with site rippers, spam bots, and spam mailers. A lot of the time this causes my server to run out of memory and eventually start shutting down its own services and force me to reboot it. Right now, whenever I see my load go up I am running this script:

netstat -a -n ¦ grep :80 ¦ cut -d : -f2 ¦ awk '{print $2}' ¦ sort ¦ uniq -c ¦ sort

99% of the time if an ip has more then 100 active connections it is from Asia Pacific and when I drop it with iptables things go back to normal.

I am using the following syntax:
iptables -I INPUT -s 193.61.107.151 -j DROP

Though tonight I noticed that some IP's seem to stay in the connection list and their # of connections went up even an hour or so after I added them to iptables. I even tried running the command again at a few times and keep seeing some of the bad ips.

I am not a sysadmin and more or less a linux newbie. If anyone could please verify that I am using iptables correctly and or have any suggestions for me, id greatly appreciate it.

Thanks,
Will

 

mcavic

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3586938 posted 11:59 pm on Feb 28, 2008 (gmt 0)

I tried the command on my machine, and it worked fine. The existing connections will stay open for a while unless you restart Apache (but iptables should block the inbound traffic).

I don't know why it would continue to allow new connections, though. Are you sure that iptables is running? Adding the rule doesn't automatically start it.

willeffects

5+ Year Member



 
Msg#: 3586938 posted 2:54 am on Feb 29, 2008 (gmt 0)

thanks for checking.

Yes it is working. Perhaps there is some reason why some connections just appear to take longer to drop off? Does a restart of apache on a live site cause problems with mysql tables?

mcavic

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3586938 posted 5:49 am on Feb 29, 2008 (gmt 0)

Restarting apache shouldn't bother mysql. At least, no more than rebooting the machine would. On second thought, though, I don't think it's necessary. Apache should drop the connections in less than a minute. After that, the connections will stay in the TIME_WAIT or FIN_WAIT state for an amount of time, maybe 5 minutes, depending on your kernel.

willeffects

5+ Year Member



 
Msg#: 3586938 posted 7:56 am on Feb 29, 2008 (gmt 0)

Does anyone have any idea what a normal threshold of active connections *should* be? I know i've seen google bot over 100 active connections sometimes but it seems almost everything else over 75 is not legit.

Im trying to figure out if theres some way I can automate this process, but im afraid of banning legit crawlers.

Any ideas?

willeffects

5+ Year Member



 
Msg#: 3586938 posted 9:03 am on Mar 4, 2008 (gmt 0)

Does anyone see anything wrong with blocking these entire networks? I seem to get slammed by various IP's within them daily. Im wondering if everyone else is as well?

#McColo Corporation
deny from 208.66.192.0/22

#RIPE Network Coordination Centre
deny from 80.0.0.0/8
deny from 81.0.0.0/8
deny from 82.0.0.0/8
deny from 83.0.0.0/8
deny from 84.0.0.0/8
deny from 85.0.0.0/8
deny from 86.0.0.0/8
deny from 87.0.0.0/8
deny from 88.0.0.0/8
deny from 89.0.0.0/8
deny from 90.0.0.0/8
deny from 91.0.0.0/8
deny from 193.0.0.0/8
deny from 194.0.0.0/8
deny from 195.0.0.0/8
deny from 212.0.0.0/8
deny from 213.0.0.0/8
deny from 217.0.0.0/8
deny from 217.174.203.41
deny from 218.0.0.0/8

#Latin American and Caribbean IP address Regional Registry
deny from 190.0.0.0/8
deny from 200.0.0.0/8
deny from 201.0.0.0/8

#Asia Pacific Network Information Centre
deny from 202.0.0.0/7
deny from 203.0.0.0/7
deny from 210.0.0.0/7
deny from 212.0.0.0/8
deny from 221.0.0.0/8
deny from 222.0.0.0/8

#Japan Network Information Center
deny from 133.0.0.0/8

#African Network Information Center
deny from 196.0.0.0/8

#Alexa Internet
deny from 209.237.237.0/24
deny from 209.237.238.0/24

#SevenTwentyfour Incorporated
deny from 209.167.50.16/28

#Cyveillance Inc.
deny from 63.148.99.224/27

#Performance Systems International Inc
deny from 38.112.0.0/13

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved