How to restrict outgoing requests from a specific user or IP on Ubuntu 16.04.4?

S

sarapulov_k2020-09-10 13:19:59

Malware

sarapulov_k, 2020-09-10 13:19:59

Hello!

There was a problem on the server. A virus has appeared on one of the sites (which is not known), and this virus uses server resources. The server received a complaint (and specifically to a specific IP). If the problem is not solved, then the next 24 hours IP on the server will be blocked.

How can I block outgoing connections from a specific IP address or user?

Tried using ufw service but it didn't work

sudo ufw deny from 123.456.789.123

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Dmitry, 2020-09-10
@sarapulov_k

On "naked" iptables (and, accordingly, in any Linux distribution), the task can be solved like this:

modprobe nf_conntrack
iptables -A OUTPUT -s ip_сервера -m state --state established,related -j ACCEPT
iptables -A OUTPUT -s ip_сервера -m state --state new,invalid -j DROP

The first command loads the iptables module, which allows monitoring the status of tcp connections.
The second allows outgoing traffic from the server for previously established connections that are in the conntrack table.
The third one drops packets related to connections initiated by the server itself.
Those. incoming connections, the server will continue to accept and respond to them, but will lose the ability to establish connections itself.
To be sure, after them you can still give the command to clear established connections (the conntrack package may not be installed by default).
conntrack -F
But of course, it's better to deal directly with the cause of the traffic than to try to block it.

Z

Zzzz9, 2020-09-10
@Zzzz9

Do you want to block incoming packets to your server from a specific IP address? Correctly understood the question.