>>> Hi, my site is being ravaged by an IP but dropping the IP via >>> shorewall is seeming to have no effect. I'm using his IP from nginx >>> logs. IP blocking in shorewall has always worked before. What could >>> be happening? >> >> >> I'm blocking like this with the firewall running on the web server: >> >> /etc/shorewall/rules >> DROP net:1.2.3.4 $FW >> >> Could shorewall/iptables see a different IP address than the one seen by >> nginx? > > > Most likely the file is configured but the firewall service wasn't > restarted or the rules no loaded.
I restarted shorewall plenty. :) I believe the issue was either a persistent connection which conntrack-tools would have allowed me to flush, or my blocking in /etc/shorewall/rules instead of /etc/shorewall/blrules, or both. > But as Jeremi pointed out. failsban is a far superior tool for this. > Ossec with it's active response is also good. > There are quite a few more tools in this space, and they all work much > the same way - scan logs looking for dodgy stuff going on the > dynamically apply a packet filter rule. The software also does it all > day every day, and that's a record you the human cannot hope to match :-) I'm happy to say fail2ban is running now: # fail2ban-client status Status |- Number of jail: 10 `- Jail list: nginx-botsearch, nginx-http-auth, nginx-limit-req, pam-generic, php-url-fopen, postfix, postfix-rbl, postfix-sasl, sshd, sshd-ddos I should probably play with the config a bit. I'm pretty much using defaults. For example I think the sshd hackers make their attempts really slowly but it would be nice to ban them anyway: # fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 2 | |- Total failed: 58 | `- File list: /var/log/sshd/current `- Actions |- Currently banned: 0 |- Total banned: 3 `- Banned IP list: Also I wish fail2ban-client would display a tally of all fails and bans with a single command. - Grant