null route an attackers ip

Unwelcome Guests

Sometimes servers receive unwanted traffic from an unwelcome source.

One of the many compromised servers out there may be launching a brute force SSH attack on your server. Or some bot may be wreaking havoc on your server while it tries to crawl your site.

So Who Are These People?

The first step to determining the source of the problem is to get the IP address.

Typically you can see the IP address in the sshd log (/var/log/messages or /var/log/secure or /var/log/auth typically output failed log in attempts).

For http requests you can often find the IP in the access logs. e.g. in /var/log/httpd/access_log

Finally, run netstat. That will report all the connections to your server.

How To Stop Them

IP=theattackersIP
iptables --append INPUT --source $IP -j DROP

This appends a rule on the 'input' chain to drop packets coming from $IP.

If you get an error about iptables not being loaded you may also need to run:

modprobe iptable_filter

Be careful about that IP address and who you block. It would be a shame if you blocked a valid user (or, worse, yourself).

If you do block yourself out then you can have someone restart your server (the iptable command will be cleared out after a restart unless you run iptables save). Or you can access your server via the console (RimuHosting VPS's all have console access over SSH. Just enable it in the RimuHosting control panel)

Following up with the Authorities

If you wish you can report misuse to the person responsible for the IP (typically an ISP or data center).

This is ofen a good idea since the server attacking you is often under the control of some malware (trojan, virus, compromised user account, etc). And someone needs to alert the IP address owner so they can resolve the problem with their user.

You can go to http://whois.sc/ then enter the IP. It will come back with information about who owns that IP. And often an email to use for reporting abuse.

Use one of those email addresses and email them that your server is being attacked by an IP in their address space. Include log snippets if you can.

Every now and then you may get a reply or some action taken on your behalf. But it is also quite common for your request to be ignored.