Lately I have started to pay more attention to what is happening on the blogs on the server. I noticed that I have a very read blog, with a lot of hits. An obvious example is in the image below:
Such spam bots there are many of them, and their comments add up by the hundreds Acism. I know that in WordPress, there is its option block an IP who wants to comment, but this does not help much, for two reasons.
1. The IP if it is blocked from WordPress –> Dashboard, reaches the server and there is traffic.
2. If there are 100 blogs on a server... each one must block the same IP. (headaches)
3. De la acelasi IP poate incerca sa caute puncte se securitate vulnerabile, pe alte porturi deschise. (stiu ca am spus doua motive. unu` e bonus)
O alta metoda de a bloca accesul unui IP pe un site, este editarea fisierului .htaccess, din folderu root, in care se gasesc fisierele site-ului (de regula public_html). Aveam fantezii de genul asta, prin iunie 2007, cand scriam postul “Deny Access to Spammer IP”.
Metoda cu blocarea IP-urilor din .htaccess, nu o recomand nimanui, dintr-un singur motiv: cu cat este mai incarcat fisierul .htaccess, cu atat timpul de incarcare al site-ului creste. Daca 100 de fisiere .htaccess, ar avea cate 50 de directive, pe Apache (HTTP Server), puteti sa puneti bomboane si doua lumanari :)
I think the third method is the best. IP blocking-s at the level of server, all of them ports, using iptables.
In the image above, the IP 194.8.74.158 is seen, trying to spam some blog pages. Blocking it, at the server level, is done in the following way.
root@server [~]# /sbin/iptables -I INPUT -s 194.8.74.158 -j DROP
root@server [~]# /sbin/service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
root@server [~]#Of course, we will not block each individual IP. From what I have seen, the bots use several IPs from the same block. In this case there is ARIN and RIPE.
whois (ripe.net) : 194.8.74.158
inetnum: 194.8.74.0 - 194.8.75.255
netname: DRAGONARA-NET
descr: Dragonara Alliance Ltd
country: GBOK. If the IP comes from a region where I'm sure I don't want visitors on the server (either via the web or via email), I have the option to block the access of two classes C (Class C subnet), which includes the entire range of IPs between 194.8.74.0 and 194.8.75.255.
/sbin/iptables -I INPUT -s 194.8.74.0/24 -j DROP
/sbin/iptables -I INPUT -s 194.8.75.0/24 -j DROP
/sbin/service iptables saveiptables –L , to see the list of "Chain INPUT" IPs.
