-1

Site on my server is being attacked using SQL injections. I block IP from which was attacked with command:

# iptables -A INPUT -s ATTACK-IP-ADDRESS -j DROP

Can I review activity of ATTACK-IP-ADDRESS now? I mean when and what HTTP request was from this IP.

slava
  • 161
  • 2
  • 11
  • 1
    You have to be more specific. Exactly what activity are you looking for? SQL queries? That's in your SQL server logs. HTTP requests? Check your web server logs. Then grep the IP of the attacker. – slightly_toasted Jun 26 '20 at 13:59
  • @slightly_toasted, I just want see HTTP requests fro this blocked IP – slava Jun 26 '20 at 14:05
  • I provided a new answer. Please update your question as it is super vague and doesn't represent the answer you're actually looking for. – slightly_toasted Jun 26 '20 at 16:16

2 Answers2

2

When you block an IP address in IPTables, you cannot monitor what kind of HTTP requests they make.

Their TCP handshake packets are dropped, which means that no request is sent to your server.

If you want to see what kind of traffic comes in, you need to forward traffic from specific IP to special software that captures the traffic.

Or, you can make a configuration in your web application that all requests coming from this IP address are handled in a special way.

I don't see much value in doing monitoring like this though.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
2

You can use the -j LOG option on entries which you want to log.

So iptables -A INPUT -s ATTACK-IP-ADDRESS -j LOG in your example

On Ubutntu the logs will be stored in /var/log/kern.log

There are many options to logging in iptables such as adding prefixes in the log file or changing the file where the logs are sent to.

Keep in mind that no HTTP request will have occurred from this IP if you block it and thus no activity will show up on your web/db server logs.

slightly_toasted
  • 804
  • 5
  • 14