Re: Netfilter fails to filter traffic from a netblock?

Jeffrey Walton <noloader@xxxxxxxxx> · Sun, 19 Apr 2020 10:14:03 -0400

On Sun, Apr 19, 2020 at 8:58 AM Jeffrey Walton <noloader@xxxxxxxxx> wrote:
>
> Hi Everyone,
>
> We rent a CentOS 7 VM from GoDaddy. We received a warning about
> excessive cpu usage, and a threat to cancel our service. We tracked it
> down to Apache and someone hammering our web server.
>
> The offending host is 59.64.129.175. To err on the side of caution we
> attempted to block the entire netblock. According to whois data,
> that's 59.64.128.0-59.64.159.255.
>
>     iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP
>
> After reboot cpu usage is still high and access_log still shows
> useless requests from the host:
>
>     59.64.129.175 - - [19/Apr/2020:08:53:53 -0400] "GET
>     /w/index.php?title=Special:WhatLinksHere&limit=50&
>     printable=yes HTTP/1.1" 301 311
>
> I seem to be missing something. That's not surprising since I am not a
> server administrator.
>
> How do I filter the unwanted traffic from the netblock?

Thanks Mike and Mark.

This is where I am at... I'm following
https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/
because GoDaddy has not published any documents on this (other then
use cPanel, which I don't have access to).

The rule is persisted but it is being ignored.

# iptables -L | grep policy
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

# iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP
# /sbin/service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables: [OK]

<reboot, top still shows high usage, logs still show requests from offender>

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state
NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             state
NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state
NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere
reject-with icmp-host-prohibited
DROP       tcp  --  59.64.128.0/19       anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere
reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

We really need the server to honor this rule. How do we get CentOS to
use this rule?

Jeff
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos