Editing my /etc/host.deny

Question

I'm being trolled by China, and don't know why I can't block their request to my server.

//host.deny

ALL: item.taobao.com
ALL: 117.25.128.*

But when I watch the error log on my webserver tail -f /var/log/apache2/error.log the requests are still being allowed through.

Question: Why isn't my host.deny config working?

I'm voting to close this question as off-topic because it belongs on https://unix.stackexchange.com/ — Keith Thompson, Nov 17 '15 at 03:50
@KevinGuan yea I tried iptables `iptables -A INPUT -s 117.25.128.13 -j DROP` but still coming through. (Do you know what oxygen :D ) — Jordan Davis, Nov 17 '15 at 03:57

score 2 · Accepted Answer · edited Nov 17 '15 at 04:01

2

Hosts deny will not block every socket connection, only on apps that rely on hosts.deny which is ssh, inetd, and a few others. To block all connections you need to use iptables.

It varies from distro to distro but the command line is something like:

iptables -A INPUT -s 117.25.128.0/24 -j DROP

You'll need to use CIDR notation (ie, a.b.c.d/x) to do ranges. To wildcard the last digit change (class C network) it to a zero and use /24. For the last two IPs change them to zero and use /16.

edited Nov 17 '15 at 04:01

Remi Guan

21,506
17
64
87

answered Nov 17 '15 at 03:55

AndrewWhalan

417
3
12

ahh that might be the trick I've been using the `*` wild card selector – Jordan Davis Nov 17 '15 at 03:58
@KevinGuan so I figured I need to use -I instead -A to input it at the beginning of the file instead of the bottom (-A), apparently precedence is the first matching rule, thank you for your help. – Jordan Davis Nov 17 '15 at 04:35
@JordanDavis: Ah, yeah. No problem :P – Remi Guan Nov 17 '15 at 04:37

Editing my /etc/host.deny

1 Answers1