Block Repeated Attacks from Multiple IPs

TL;DR

You’re getting attacked from lots of different IP addresses in various countries. This guide shows you how to block them using your firewall (like iptables or a web application firewall like fail2ban) and potentially investigate the source further.

Solution Guide

1. Understand the Problem
• Multiple IP addresses are attempting unwanted access to your system.
• These IPs originate from different geographical locations, suggesting a distributed attack or compromised systems.
• Blocking individual IPs is tedious and ineffective if the attacker keeps changing them.
2. Identify Attacking IPs
• Log Analysis: Check your server logs (e.g., Apache access logs, Nginx error logs, system logs) for suspicious activity. Look for repeated failed login attempts, unusual requests, or errors.
• Security Tools: Use tools like fail2ban, intrusion detection systems (IDS), or web application firewalls (WAFs) to automatically identify and log attacking IPs.
• Example Log Snippet (Apache):

  192.0.2.1 - - [10/Oct/2023:14:55:37 +0000] "GET /wp-login.php HTTP/1.1" 403 162

3. Block IPs using a Firewall (iptables example)
• Single IP Block: To block a single IP address:

  sudo iptables -A INPUT -s 192.0.2.1 -j DROP

• Multiple IPs Block (using a script): Create a file (e.g., block_ips.sh) with the list of IPs and run it:

  #!/bin/bash
  IP_LIST="192.0.2.1 203.0.113.5 172.217.160.142"
  for IP in $IP_LIST;
  do
  sudo iptables -A INPUT -s $IP -j DROP
  done

  Make the script executable: chmod +x block_ips.sh and run it: ./block_ips.sh

• Save iptables rules: iptables rules are not persistent by default. Save them so they survive a reboot.
  • Debian/Ubuntu: sudo apt-get install iptables-persistent; sudo netfilter-persistent save
  • CentOS/RHEL: sudo yum install iptables-services; sudo service iptables save
4. Automate Blocking with fail2ban
• Install fail2ban: sudo apt-get install fail2ban (Debian/Ubuntu) or sudo yum install fail2ban (CentOS/RHEL).
• Configure Jail: Create a local jail configuration file (e.g., /etc/fail2ban/jail.local) to define the rules for blocking IPs based on log patterns.

  [DEFAULT]
  banaction = iptables-multiport
  ignoreip = 127.0.0.1/8 ::1
  
  [sshd]
  enabled = true
  port = ssh
  logpath = %(sshd_log)s
  maxretry = 3

• Restart fail2ban: sudo systemctl restart fail2ban
5. Consider a Web Application Firewall (WAF)
• WAFs offer more sophisticated protection against web-based attacks. They can block malicious requests based on patterns, signatures, and reputation.
• Examples: Cloudflare, ModSecurity, Sucuri.
6. Investigate the Source (Optional)
• GeoIP Lookup: Use a GeoIP lookup tool to determine the countries where the attacking IPs are located.

  Online tools or libraries like geoip2 can help with this.

• WHOIS Lookup: Perform WHOIS lookups on the IP addresses to identify the owner and network information. This may not always be accurate, but it’s worth a try.
• Reverse DNS Lookup: Check the reverse DNS record for each IP address to see if it reveals any clues about the attacker.