Blacklisting IPs on FreeBSD

Unix

12 Feb 2015

Blacklisting IPs on FreeBSD

Preston Garrison 0 Comments

I noticed the other day I had someone trying to brute for logins to my website.  The easiest way to prevent this was grab the ips from the weblogs, and then black hole their routes.  So first thing I did was stop nginx, reset the log files, restart nginx, let the logs run for 30 seconds, then place those ips in a file.

/usr/local/etc/rc.d/nginx stop
cd /var/log
rm nginx*
/usr/local/etc/rc.d/nginx stop
cat nginx-access.log | grep login | cut -d ' ' -f 1 | sort | uniq > /root/ips_bad.txt

 

 

At this point I strongly suggest you edit the ips file, and make sure your ip, or no other ip you wanted listed there is in the file.  The next step was to use this file with a simple bash for loop

for e in `cat /root/ips_bad.txt` ; do route add $e 127.0.0.1 -blackhole; done

 

 

 

If I want to quickly remove these routes, I just do

for e in `cat /root/ips_bad.txt` ; do route delete $e -blackhole; done

 

Preston Garrison