| 1 |
On 06/09/2016 22:57, Grant wrote: |
| 2 |
>> Hi, my site is being ravaged by an IP but dropping the IP via |
| 3 |
>> shorewall is seeming to have no effect. I'm using his IP from nginx |
| 4 |
>> logs. IP blocking in shorewall has always worked before. What could |
| 5 |
>> be happening? |
| 6 |
> |
| 7 |
> |
| 8 |
> I'm blocking like this with the firewall running on the web server: |
| 9 |
> |
| 10 |
> /etc/shorewall/rules |
| 11 |
> DROP net:1.2.3.4 $FW |
| 12 |
> |
| 13 |
> Could shorewall/iptables see a different IP address than the one seen by nginx? |
| 14 |
|
| 15 |
|
| 16 |
Most likely the file is configured but the firewall service wasn't |
| 17 |
restarted or the rules no loaded. |
| 18 |
|
| 19 |
Be careful with that one - it's all too easy to *think* you reloaded |
| 20 |
them when you didn't and one's own confirmation bias kicks in. I see it |
| 21 |
daily with everyone in my team (me included) |
| 22 |
|
| 23 |
But as Jeremi pointed out. failsban is a far superior tool for this. |
| 24 |
Ossec with it's active response is also good. |
| 25 |
There are quite a few more tools in this space, and they all work much |
| 26 |
the same way - scan logs looking for dodgy stuff going on the |
| 27 |
dynamically apply a packet filter rule. The software also does it all |
| 28 |
day every day, and that's a record you the human cannot hope to match :-) |
| 29 |
|
| 30 |
-- |
| 31 |
Alan McKinnon |
| 32 |
alan.mckinnon@×××××.com |
Archives