-2

I'm no expert in reading logs, so I posted some of my log today at another forum answered: DDOS Attack. This is what I've done so far:

  1. copied all sys logs, kern log , ufw log & auth log in one folder, merged them into one text file

  2. grep: grep -E "UFW" ~/merged.log > ~/filter_ufw_Block_lines.txt

  3. grep: grep -E -o "SRC=([0-9]{1,3}[\.]){3}[0-9]{1,3}" ~/filter_ufw_block_lines.txt > ~/Get_SRC_IP_Addresses.txt

  4. sort -u ~/Get_SRC_IP_Addresses.txt > ~/unique_SRC_IP.txt

Step 2 & 3 had 14,893 lines all with UFW block entries & step 4 had 1,967 lines i.e around 2000 ip addresses.

I was making a personal blog site, which is 7-8 days old, which had only one default wordpress page so far. I know its a normal thing to get server attacks but still I went into collecting details because I was learning a lot.

After unique attacking ip addresses are isolated, can we block them in a single go. And Can a dynamic list of such IP addresses be created which should be blocked by server. Is that possible ? Here are the two files unique_src_IP_addresses and portion_of_merged_log.

Community
  • 1
lawsome
  • 101
  • 1
  • 1
    Without any software *at all*? Sure, unplugging the machine or turning it off would work. Otherwise, some software would be involved. Check [this Q/A](https://serverfault.com/questions/583523/linux-command-to-prevent-dos-attack-by-using-netstat-and-iptables) for a possible solution. Collecting IPs won't work in the long run, as these are usually part of botnets and will change eventually. – dawud Jun 12 '16 at 20:38
  • 1
    If you go the route of blocking large numbers of ip-addresses and ip-ranges, don't overlook `ipset` as explained in an older [answer of mine](http://serverfault.com/a/714498/37681) – HBruijn Jun 12 '16 at 20:39

1 Answers1

3

Blocking IP Addresses dynamically without any software

First, your title makes no sense. Software must be involved in this. There's no way around that. Perhaps you meant "Any Additional Software"?

Next - if these IPs are already in your UFW block log, then why do you want to block them again? UFW has already blocked them?

Speaking frankly, you really ought to just install fail2ban if you want to do this. It's a very well-written, well-understood, and well-documented tool that can analyze your logs in real time and take action on them.

I know its a normal thing to get server attacks but still I went into collecting details because I was learning a lot.

How do you know this is an attack? 2000 hits over 8 days? That's nothing. At those minuscule volumes, it's not affecting the performance of your server, so what's the big deal? If you're worried about brute force attacks against Wordpress, then just install fail2ban and be done with it.

You have a server on the internet. It is going to be subject to some amount of noise. That's just expected. Don't worry too much about it unless it's affecting performance.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • Thanks @EEAA, for good advice, taken it very well and non-tech people like me do exist. So you got the correct impression, that I was asking about "without any additional software". And that's not 2000 hits, that's 2000 unique IP addressees that were hitting. I don't know the count of hits. – lawsome Jun 12 '16 at 20:57
  • Got it. So, being a non-tech person, I will again recommend that you not homebrew this. Don't reinvent the wheel. fail2ban is what you want. – EEAA Jun 12 '16 at 20:59
  • yep !! agreed ! – lawsome Jun 12 '16 at 21:00