Block Multiple Attacker IPs

TL;DR

An attack is coming from many different IP addresses. This guide shows you how to quickly block those IPs using a firewall (like iptables on Linux or Windows Firewall) and potentially use a web application firewall (WAF) if the attack targets your website.

Step-by-step Guide

1. Identify the Attacking IPs: You need a list of the IP addresses involved in the attack. This information usually comes from:
   • Server Logs: Check your web server logs (e.g., Apache access logs, Nginx access logs) for repeated requests from suspicious IPs.
   • Firewall Logs: Your firewall may log blocked attempts and the source IPs.
   • Intrusion Detection System (IDS): If you have an IDS, it will likely alert you to malicious activity and provide IP addresses.
   • Security Information and Event Management (SIEM) system: A SIEM can aggregate logs from multiple sources and identify attack patterns.
2. Block IPs with Your Firewall (Linux – iptables example): iptables is a common Linux firewall.

   sudo iptables -A INPUT -s <IP_ADDRESS> -j DROP

   Replace <IP_ADDRESS> with the actual IP address you want to block. Repeat this command for each IP.

   To make these rules permanent (so they survive a reboot), save them:

   sudo iptables-save > /etc/iptables/rules.v4

   (The exact location of the rules file may vary depending on your distribution.)

3. Block IPs with Your Firewall (Windows Firewall example): Use PowerShell.

   New-NetFirewallRule -DisplayName "Block Attacker IP" -Direction Inbound -RemoteAddress <IP_ADDRESS> -Action Block

   Replace <IP_ADDRESS> with the attacker’s IP. Repeat for each IP.

   You can list existing rules to verify:

   Get-NetFirewallRule | Where-Object {$_.DisplayName -like "Block Attacker IP"}

4. Consider a Web Application Firewall (WAF): If the attack targets your website, a WAF can provide more sophisticated protection.
   • Cloudflare: Cloudflare offers a free and paid WAF service. You can block IPs through their dashboard.
   • Sucuri: Sucuri is another popular WAF provider.
   • ModSecurity (Apache/Nginx): ModSecurity is an open-source WAF that you can install on your server. Configuration is more complex but offers greater control.
5. Rate Limiting: Instead of blocking IPs outright, consider rate limiting requests from specific IPs. This allows legitimate users from the same IP to access your service while mitigating brute-force attacks.
   • iptables (Linux): Use the limit module in iptables.
   • WAF: Most WAFs have rate limiting features.
6. Monitor and Adjust: After blocking IPs, monitor your logs to see if the attack has stopped. If new IPs are involved, add them to your blocklist.

Important Considerations

• False Positives: Be careful not to block legitimate users by mistake. Double-check IP addresses before blocking.
• Dynamic IPs: Attackers often use dynamic IPs, so the list of blocked IPs may change frequently.
• Distributed Attacks (DDoS): If you’re facing a large-scale DDoS attack, blocking individual IPs might not be effective. Consider using a DDoS mitigation service.
• cyber security best practice: Regularly update your firewall and WAF rules to protect against new threats.