Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
Max2018-09-29 00:42:27
linux
Max, 2018-09-29 00:42:27

Why Linux Firewall doesn't block IP?

Good afternoon!
OS Ubuntu 18.04.
The bot bypasses a good hundred of my domains that contain thousands of pages, bypasses very aggressively and creates a heavy load on the server, downloading images up to 10 requests / sec.
Usually, after analyzing the logs, immediately ban similar ones, through the WEB interface to the VestaCP panel, adding a rule to the Firewall, everything is very simple - subnet, 80,443 ports = done, no requests are observed after that.
Now I can’t ban the annoying bot in any way, I’m grabbing the logs after adding the rules - the requests went on and on. Already even added UDP / ICMP , all the same requests go. What could be wrong?

[email protected]# iptables-save
# Generated by iptables-save v1.6.1 on Sat Sep 29 00:11:25 2018
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [348480:815452129]
:fail2ban-DNS - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VESTA - [0:0]
:fail2ban-WEB - [0:0]
:vesta - [0:0]
-A INPUT -p udp -m udp --dport 53 -j fail2ban-DNS
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-WEB
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-VESTA
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-FTP
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s SERVER_IP/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 216.244.66.0/24 -p tcp -m multiport --dports 80,443 -j DROP
--- /// ---- Аналогичные правила --- /// ----
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21,12000:12100 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m multiport --dports 25,465,587,2525 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m multiport --dports 110,995 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m multiport --dports 143,993 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -p tcp -m multiport --dports 3306,5432 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A fail2ban-DNS -s 216.244.66.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-DNS -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-VESTA -j RETURN
-A fail2ban-WEB -s 216.244.66.0/24 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-WEB -j RETURN
COMMIT
# Completed on Sat Sep 29 00:11:25 2018

Requests for several hours:
[email protected]# awk '{print $1}' /var/log/apache2/domains/*.log | sort | uniq -c | sort -nr | head  -n 50 | grep 216.244
  17755 216.244.66.230
  15969 216.244.66.236
  11103 216.244.66.202
  10769 216.244.66.196
   8574 216.244.66.200
   8076 216.244.66.239

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
D
Dmitry Shitskov, 2018-09-29
@Zarom

Maybe it's the one above:
Packets go through this rule, because connections are already established.

Similar questions
S
Stanislav Timoshko2021-06-20 20:35:46
Can Xorg work without OpenGL? 1Reply
S
Sergey2015-10-13 15:52:43
What is the equivalent of grep for only groups of lines? 2Reply
I
Igor Petrov2011-06-22 01:01:45
Do you need a swap? 7Reply
M
mouLL2021-06-21 17:11:04
What exactly is the problem with the HDD? 3Reply
A
Arx7772015-10-14 16:37:47
How to change default terminal emulator in fedora 22? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question