On 06/09/2016 22:57, Grant wrote: >> Hi, my site is being ravaged by an IP but dropping the IP via >> shorewall is seeming to have no effect. I'm using his IP from nginx >> logs. IP blocking in shorewall has always worked before. What could >> be happening? > > > I'm blocking like this with the firewall running on the web server: > > /etc/shorewall/rules > DROP net:1.2.3.4 $FW > > Could shorewall/iptables see a different IP address than the one seen by > nginx?
Most likely the file is configured but the firewall service wasn't restarted or the rules no loaded. Be careful with that one - it's all too easy to *think* you reloaded them when you didn't and one's own confirmation bias kicks in. I see it daily with everyone in my team (me included) But as Jeremi pointed out. failsban is a far superior tool for this. Ossec with it's active response is also good. There are quite a few more tools in this space, and they all work much the same way - scan logs looking for dodgy stuff going on the dynamically apply a packet filter rule. The software also does it all day every day, and that's a record you the human cannot hope to match :-) -- Alan McKinnon alan.mckin...@gmail.com
