So lately, we had some incidents in a VPS I own for personal use with some DOS attack. Fortunately everything came from the same IP (some bot was trying things) so it was easy to just ban it and live happily ever after. How did I do it?
So, for start you need to see who is bashing your machine. There are many command lines tools for real-time network monitoring tools, I think
iftopis a great tool which works for me. Ok next?
I am using ufw as it is a great linux firewall. But there is a catch. Let's say you found the IP you want to block and you type the following block command:
sudo ufw deny from x.x.x.x to any
After you type
iftopand you still see the IP traffic. What is wrong here?
The obvious is to check
ufw status, where you see both the rule and status: active for ufw. What is wrong?
The rules of ufw are based on priority so you need to type
sudo ufw status numberedto actually see which one has highest priority. If you have a rule like
443 ALLOW IN Anywhere and you add the ban IP rule below of it, then it won't work. You need to add it above. So the actual command for placing at the top of the rule list is:
sudo ufw insert 1 deny from x.x.x.x to any
This will put the rule on top of everything and ban the IP no matter what. For deleting a rule you can type:
sudo ufw delete 5and it will delete the rule number 5, just in case you did something wrong.
Which one is your favorite tool for command line monitoring and blocking annoying traffic?