iptables não bloqueando endereços IP

1

Estou com ataque de DDOS no meu servidor. Eu descobri que alguém estava se esforçando em um dos sites do Wordpress. Eu desativei esse host virtual temporariamente. Agora estou tentando bloquear seus endereços IP usando o iptables. Mas ainda vejo os logs das solicitações provenientes desses endereços IP no Apache.

os comandos que usei:

iptables -A INPUT -s 185.62.189.92 -j DROP
iptables -A OUTPUT -d 185.62.189.92 -j DROP

aqui está o meu iptables:

# iptables -nvL --line-numbers
Chain INPUT (policy ACCEPT 5146 packets, 553K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      *       185.62.189.98        0.0.0.0/0           
2        0     0 DROP       all  --  *      *       185.62.189.91        0.0.0.0/0           
3        0     0 DROP       all  --  *      *       185.62.189.92        0.0.0.0/0           
4        0     0 DROP       all  --  *      *       5.196.18.195         0.0.0.0/0           
5        0     0 DROP       all  --  *      *       185.62.188.98        0.0.0.0/0           
6        0     0 DROP       all  --  *      *       185.11.144.82        0.0.0.0/0           
7        0     0 DROP       all  --  *      *       185.11.144.82        0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 6497 packets, 7556K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      *       0.0.0.0/0            185.62.189.98       
2        0     0 DROP       all  --  *      *       0.0.0.0/0            185.62.189.91       
3        0     0 DROP       all  --  *      *       0.0.0.0/0            185.62.189.92       
4        0     0 DROP       all  --  *      *       0.0.0.0/0            5.196.18.195        
5        0     0 DROP       all  --  *      *       0.0.0.0/0            185.62.188.98       
6        0     0 DROP       all  --  *      *       0.0.0.0/0            185.11.144.82       
7        0     0 DROP       all  --  *      *       0.0.0.0/0            185.11.144.82 

Ainda recebo toneladas de solicitações dos endereços bloqueados:

tail -f error.log
[Thu May 14 03:35:40.483899 2015] [authz_core:error] [pid 11474] [client 5.196.18.195:48105] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:40.920629 2015] [authz_core:error] [pid 11526] [client 185.62.189.92:17158] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:41.343127 2015] [authz_core:error] [pid 11526] [client 185.62.189.92:17158] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:41.830613 2015] [authz_core:error] [pid 11511] [client 185.62.189.92:46302] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:42.387676 2015] [authz_core:error] [pid 11501] [client 185.62.189.92:40100] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:43.362905 2015] [authz_core:error] [pid 11508] [client 185.62.189.92:16423] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:44.487948 2015] [authz_core:error] [pid 11501] [client 185.62.189.92:40100] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:46.066769 2015] [authz_core:error] [pid 11508] [client 185.62.189.92:16423] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:47.908027 2015] [authz_core:error] [pid 11527] [client 5.196.18.195:54456] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:47.938903 2015] [authz_core:error] [pid 11501] [client 5.196.18.195:9522] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:48.014147 2015] [authz_core:error] [pid 11487] [client 5.196.18.195:25948] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:48.118337 2015] [authz_core:error] [pid 11445] [client 185.62.189.92:23557] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:49.381834 2015] [authz_core:error] [pid 11510] [client 185.62.189.92:14750] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:51.074766 2015] [authz_core:error] [pid 11445] [client 185.62.189.92:23557] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:51.338875 2015] [authz_core:error] [pid 11487] [client 5.196.18.195:25948] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
[Thu May 14 03:35:51.602580 2015] [authz_core:error] [pid 11445] [client 185.62.189.92:23557] AH01630: client denied by server configuration: /var/www/html/xmlrpc.php
    
por mustafa 14.05.2015 / 03:39

2 respostas

1

Você pode apenas negar a solicitação desses ip's do host virtual com uma reescrita.

RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^185\.62\.189\.92 [OR]
RewriteCond %{REMOTE_ADDR} ^186\.62\.189\.92 [OR]
RewriteRule ^(.*)$ - [F,L]
    
por 14.05.2015 / 06:43
0

Tente adicionar o nome da interface nas suas regras:

-i eth0 para a regra INPUT
e -o eth0 para a regra OUTPUT.

Para encontrar o seu próprio nome de interface Você pode com o comando:
ifconfig

    
por 16.05.2015 / 15:11