APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

2005/05/01 blacklist unwanted ip addresses

On Linux, it's easy enough to add an iptables rule to blacklist a particular ip address. You can even automate the process based on certain criteria that you define. However, you don't necessarily want to leave an ip blacklisted forever, because it may be transient (a legitimate user may have that ip address tomorrow), or the condition that triggered your block may have been an error. The ip address may even have been spoofed, thus denying access to legitimate users.

There is a security tools bundle at http://www.apachesecurity.net by the author of Apache Security that can assist with this. It includes a command line perl script "blacklist" that adds entries to your iptables. To prepare for it, your regular iptables startup rules need to add a "BLACKLIST" chain like this:

    iptables -N BLACKLIST
    iptables -A INPUT -p tcp --dport 80 -j BLACKLIST

Then simply make sure that "blacklist start" runs at startup. I copied it to /sbin and added "/sbin/blacklist start" to /etc.rc.local. This is not a daemon; the startup just reads previously stored blocks from a data file and adds them to the BLACKLIST chain.

IP's are blocked for the duration you specify:

blacklist block 300

blocks that ip address for 300 seconds. However, as no daemon is running, there's nothing to unblock unless you run "blacklist unblock_stale" regularly. Therefore, how often you run that determines the lower limit of how long someone will be blocked. I have it running daily only, so any block could last up to 24 hours regardless of the duration set. You may want to run the unblock_stale more often. You can specifically unblock someone with "blacklist unblock <ip>" and clear all blocks with "blacklist clear".

This bundle also includes an "apache-protect" perl script that can monitor apache status and automatically call blacklist when suspicious activity is observed. To use that, you need to enable the apache mod_status module:

# from httpd.conf
LoadModule status_module modules/mod_status.so
ExtendedStatus On
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from
    Allow from

This creates a special /server-status page, only visible to the ip addresses listed in "Allow from", that has extended Apache status information:

                     Apache Server Status for unixish.com

   Server Version: Apache
   Server Built: Nov 12 2004 10:10:20

   Current Time: Friday, 22-Apr-2005 08:55:01 EDT
   Restart Time: Thursday, 21-Apr-2005 13:31:56 EDT
   Parent Server Generation: 8
   Server uptime: 19 hours 23 minutes 4 seconds
   Total accesses: 734 - Total Traffic: 1.1 MB
   CPU Usage: u.2 s.29 cu35.21 cs0 - .0512% CPU load
   .0105 requests/sec - 16 B/second - 1583 B/request
   1 requests currently being processed, 8 idle workers


   Scoreboard Key:
   "_" Waiting for Connection, "S" Starting up, "R" Reading Request,
   "W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
   "C" Closing connection, "L" Logging, "G" Gracefully finishing,
   "I" Idle cleanup of worker, "." Open slot with no current process

   Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
   0-8 1481 0/86/86 _ 5.08 600 0 0.0 0.13 0.13 zenez.com GET
   1-8 1482 0/88/88 _ 4.82 904 0 0.0 0.13 0.13 zenez.com GET
   /tmp/scouw7faqz/cache/77.html HTTP/1.0
   2-8 1483 0/87/87 _ 5.30 1004 0 0.0 0.14 0.14 zenez.com GET
   /tmp/scoprogfaq/cache/68.html HTTP/1.0
   3-8 1484 0/87/87 _ 3.93 720 0 0.0 0.12 0.12 stage.zenez.com
   GET /cgi-bin/scoprogfaq/faq?cmd=maintenance&secret=fed3156b3781
   4-8 1485 0/88/88 _ 3.70 937 0 0.0 0.13 0.13 zenez.com GET
   /robots.txt HTTP/1.0
   5-8 1486 0/86/86 _ 5.22 495 0 0.0 0.11 0.11 zenez.com GET
   /tmp/ou8faqz/cache/125.html HTTP/1.0
   6-8 1487 0/89/89 _ 5.45 21 0 0.0 0.16 0.16 u15181317.onlinehome-server.com
   unixish.com GET /server-status HTTP/1.0
   7-8 1488 0/87/87 _ 4.00 495 0 0.0 0.13 0.13 zenez.com GET
   /robots.txt HTTP/1.0
   8-8 4121 0/36/36 W 1.28 0 0 0.0 0.06 0.06 unixish.com GET
   /server-status HTTP/1.0

    Srv  Child Server number - generation
    PID  OS process ID
    Acc  Number of accesses this connection / this child / this slot
     M   Mode of operation
    CPU  CPU usage, number of seconds
    SS   Seconds since beginning of most recent request
    Req  Milliseconds required to process most recent request
   Conn  Kilobytes transferred this connection
   Child Megabytes transferred this child
   Slot  Total megabytes transferred this slot

   SSL/TLS Session Cache Status:
   cache type: SHMCB, shared memory: 512000 bytes, current sessions: 0
   sub-caches: 32, indexes per sub-cache: 133
   index usage: 0%, cache usage: 0%
   total sessions stored since starting: 0
   total sessions expired since starting: 0
   total (pre-expiry) sessions scrolled out of the cache: 0
   total retrieves since starting: 0 hit, 0 miss
      total removes since starting: 0 hit, 0 miss

The "apache-protect" script processes this information and calls blacklist when indicated. Add apache-protect to cron:

*       *       *       *       *       /sbin/apache-protect

It would definitely be a good idea to add your own ip address to apache-protect's whitelist:

# An overriding threshold list. The value -1 means never
# block. Any other value establishes a threshold for
# the given IP address.
%WHITELIST = ( "" => -1, "" => -1 );

It's easy to use "blacklist" for other conditions, too. I have code in my comments scripts that checks for spamming and refuses the post if it detects unreasonable content; I may also add a call to "blacklist" under such conditions. If a particular site seems to be regularly appearing in your spam email filters, they may as well be blocked permanently. That can be done by adding ip's to the blacklist data file "/etc/blacklist.dat " at startup, perhaps just by maintaining another file of "always block" ip's that you iterate through with "blacklist" at startup. That's simple to add to the blacklist script itself.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Blacklist unwanted ip addresses


More Articles by

Find me on Google+

Click here to add your comments
- no registration needed!

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

I am a Kerio reseller. Articles here related to Kerio products reflect my honest opinion, but I do have an obvious interest in selling those products also.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.

This post tagged:

       - Linux

       - Reviews

       - Security

       - Unix

My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!

book graphic unix and linux troubleshooting guide

Buy Kerio from a dealer who knows tech:
I sell and support

Kerio Connect Mail server, Control, Workspace and Operator licenses and subscription renewals