Terug naar DocumentatieIdentify Suspicious IPs
Which IPs Make the Most Requests to the Web Server?
# Top 20 IPs by request count (Nginx log)
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20
# Same for Apache
awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -rn | head -20
Who's Attempting SSH Brute Force?
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head -10
How Many Active Connections per IP?
ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20
Block an IP with UFW
# Block a specific IP (all traffic)
ufw deny from 1.2.3.4
# Block an IP on a specific port
ufw deny from 1.2.3.4 to any port 80
ufw deny from 1.2.3.4 to any port 443
# Block an entire subnet
ufw deny from 1.2.3.0/24
# Verify the rule was added
ufw status numbered
Block an IP with iptables
# Block all traffic from an IP
iptables -A INPUT -s 1.2.3.4 -j DROP
# Block traffic to a specific port
iptables -A INPUT -s 1.2.3.4 -p tcp --dport 80 -j DROP
# Verify
iptables -L INPUT -n -v | grep 1.2.3.4
# Save the rules (Debian/Ubuntu)
netfilter-persistent save
Automatic Blocking with Fail2ban
Fail2ban monitors logs and automatically bans IPs that make too many failed attempts. See the complete guide: Fail2ban
# Current ban status
fail2ban-client status sshd
fail2ban-client status nginx-http-auth
# Manually ban an IP
fail2ban-client set sshd banip 1.2.3.4
# Unban an IP
fail2ban-client set sshd unbanip 1.2.3.4
Limit Connections with Nginx (Rate Limiting)
Add rate limiting in Nginx to prevent brute force and small DDoS:
# In /etc/nginx/nginx.conf, in the http block:
http {
# Rate limiting zone (10MB = ~160,000 IPs)
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
# Limit simultaneous connections per IP
limit_conn_zone $binary_remote_addr zone=connections:10m;
}
In the server block of your site:
server {
# General rate limit
limit_req zone=general burst=20 nodelay;
limit_conn connections 10;
# Tighter rate limit for login (WordPress, etc.)
location ~ /(wp-login|login|admin) {
limit_req zone=login burst=5 nodelay;
# ...
}
}
Block Entire Nations (GeoIP)
If you receive systematic attacks from certain countries, you can block them.
With Nginx and the GeoIP2 module:
apt install libnginx-mod-http-geoip2 -y
# /etc/nginx/nginx.conf
load_module modules/ngx_http_geoip2_module.so;
http {
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
$geoip2_country_code country iso_code;
}
map $geoip2_country_code $blocked_country {
default 0;
CN 1; # China
RU 1; # Russia
KP 1; # North Korea
}
}
server {
if ($blocked_country) {
return 444;
}
}
Alternatively, use Cloudflare to block countries more easily. See: Cloudflare
SYN Flood Protection (iptables)
# Limit SYN packets to prevent SYN flood
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
Public IP Blacklist
You can import lists of known malicious IPs:
# Install ipset to efficiently manage large IP lists
apt install ipset -y
# Create a set
ipset create blacklist hash:ip
# Add an IP
ipset add blacklist 1.2.3.4
# Block the entire set with iptables
iptables -I INPUT -m set --match-set blacklist src -j DROP
What to Do During an Active DDoS Attack
Volumetric DDoS attacks (that saturate the datacenter's bandwidth) cannot be stopped at the server firewall level. In these cases, the provider's intervention is necessary for null-routing or upstream filtering.
- Identify attack type (volumetric, application-layer, SYN flood)
- Check active connections: ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20
- Block top offending IPs with UFW
- Activate Cloudflare with DDoS protection and set site to "Under Attack" mode
- Contact support DeluxHost if the attack is volumetric: network-level interventions require the provider
Gerelateerde artikelen
DeluxHost, opgericht in 2023, biedt hoogwaardige hostingoplossingen voor diverse digitale behoeften. Wij bieden gedeelde hosting, VPS en dedicated servers met geavanceerde beveiliging en wereldwijde datacenters.
