[CentOS] Simple way to banish IP addresses ?

Fri Oct 9 19:56:56 UTC 2009
Warren Young <warren at etr-usa.com>

Toby Bluhm wrote:
> 
> Try fail2ban from rpmforge.

The main problem with fail2ban is that it's based on Python, so it takes 
a fair bit of memory.  This isn't a big problem on a dedicated server or 
on a system with swap, but a lot of these attacks are made against 
shared servers or those running virtual machine schemes like OpenVZ, 
which don't allow swap, so you don't have enough memory to run something 
so heavy.

What I do on my VPS is periodically look at the logs and ban attackers 
by hand with this script, which I call iptdrop:

	DROPFILE=/etc/network/iptables-drops
	if [ -n "$1" ] ; then
		iptables -I INPUT -s "$1" -j DROP
		echo $1 >> $DROPFILE
	else
		echo usage: $0 ipaddress
		echo
		exit 1
	fi

Then in /etc/rc.local:

	while read ip ; do
		iptables -I INPUT -s "$ip" -j DROP
	done < /etc/network/iptables-drops

That restores any bans on reboot.

After a week or three, I remove the IP from the list, on the theory that 
it might be some bot-infested PC behind DHCP, and so has probably moved on.