On Sun, Apr 19, 2020 at 8:58 AM Jeffrey Walton <noloader at gmail.com> wrote: > > Hi Everyone, > > We rent a CentOS 7 VM from GoDaddy. We received a warning about > excessive cpu usage, and a threat to cancel our service. We tracked it > down to Apache and someone hammering our web server. > > The offending host is 59.64.129.175. To err on the side of caution we > attempted to block the entire netblock. According to whois data, > that's 59.64.128.0-59.64.159.255. > > iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP > > After reboot cpu usage is still high and access_log still shows > useless requests from the host: > > 59.64.129.175 - - [19/Apr/2020:08:53:53 -0400] "GET > /w/index.php?title=Special:WhatLinksHere&limit=50& > printable=yes HTTP/1.1" 301 311 > > I seem to be missing something. That's not surprising since I am not a > server administrator. > > How do I filter the unwanted traffic from the netblock? Thanks Mike and Mark. This is where I am at... I'm following https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/ because GoDaddy has not published any documents on this (other then use cPanel, which I don't have access to). The rule is persisted but it is being ignored. # iptables -L | grep policy Chain INPUT (policy ACCEPT) Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT) # iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP # /sbin/service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables: [OK] <reboot, top still shows high usage, logs still show requests from offender> # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited DROP tcp -- 59.64.128.0/19 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination We really need the server to honor this rule. How do we get CentOS to use this rule? Jeff