1 |
On 06/09/2016 22:57, Grant wrote: |
2 |
>> Hi, my site is being ravaged by an IP but dropping the IP via |
3 |
>> shorewall is seeming to have no effect. I'm using his IP from nginx |
4 |
>> logs. IP blocking in shorewall has always worked before. What could |
5 |
>> be happening? |
6 |
> |
7 |
> |
8 |
> I'm blocking like this with the firewall running on the web server: |
9 |
> |
10 |
> /etc/shorewall/rules |
11 |
> DROP net:1.2.3.4 $FW |
12 |
> |
13 |
> Could shorewall/iptables see a different IP address than the one seen by nginx? |
14 |
|
15 |
|
16 |
Most likely the file is configured but the firewall service wasn't |
17 |
restarted or the rules no loaded. |
18 |
|
19 |
Be careful with that one - it's all too easy to *think* you reloaded |
20 |
them when you didn't and one's own confirmation bias kicks in. I see it |
21 |
daily with everyone in my team (me included) |
22 |
|
23 |
But as Jeremi pointed out. failsban is a far superior tool for this. |
24 |
Ossec with it's active response is also good. |
25 |
There are quite a few more tools in this space, and they all work much |
26 |
the same way - scan logs looking for dodgy stuff going on the |
27 |
dynamically apply a packet filter rule. The software also does it all |
28 |
day every day, and that's a record you the human cannot hope to match :-) |
29 |
|
30 |
-- |
31 |
Alan McKinnon |
32 |
alan.mckinnon@×××××.com |