Banning IPs from Apache?
Bill Horne
bill at horne.net
Wed Feb 11 11:45:01 EST 2004
----- Original Message -----
Duane Morin <dmorin at lear.morinfamily.com> wrote:
> Recently I'm experiencing nasty load problems on my home web
> server for reasons I have yet to determine. But I do see that
> my access logs are full of the usual worm traffic. Can
> somebody point me in the right direction (or just give me the
> quick tutorial) on whether I can tell Linux or Apache ASAP
> "here's a bunch of IPs that I dont want you to respond to at
> all?" What's the optimal way of making sure that these hits
> don't kill your server (or even interfere with its usual
> operation)?
I've had good results by using IPTABLES to restrict incoming traffic on a
network basis: I simply add a rule for each network that I'm aware of (e.g.,
comcast), and drop everything that isn't on my approved list. Of course,
this might not fit your profile: I'm only showing pages to relatives and
friends, so if you're web site is supposed to be visible to the world, then
I suggest you take advantage of the web space your ISP offers and let them
do the worrying. ;-)
A sample entry: assuming your input policy is DROP -
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j http-ok-from
iptables -A http-ok-from -s 66.31.0.0/16 -j ACCEPT
(etc.)
HTH.
Bill Horne
http://billhorne.com/
More information about the Discuss
mailing list