Results 1 to 14 of 14
  1. #1

    Blocking IP using PHP

    Well, my server is under a massive botnet attack.

    They are currently attacking /showthread.php on my forum.

    I was wondering if anyone knew a good method of blocking an IP address from PHP? So when the bot's access the page, it drops their IP from server. Don't worry about legit users, I have emailed them telling where the forum has moved too for time being.

    What I thought:

    Code:
    <?php
    
    $ipaddy = $REMOTE_ADDR; 
    
    $command = shell_exec(iptables -I INPUT -s $ipaddy -j DROP);
    //echo "$command";
    
    
    
    ?>
    Didn't work though. Any ideas?

  2. #2
    Join Date
    Nov 2003
    Location
    Canada
    Posts
    881
    In order to make it work the php script must be run as root (this means running apache as root). If you are running as root try this and see if you get any usefull output:

    PHP Code:
    <?php

    $ipaddy 
    $REMOTE_ADDR

    passthru("iptables -I INPUT -s $ipaddy -j DROP");

    ?>
    Although please note running apache/php as root is not the best idea for security purposes.

  3. #3
    Join Date
    Dec 2003
    Location
    New Zealand
    Posts
    1,265
    Why not block it at firewall point?

  4. #4
    Join Date
    Sep 2004
    Location
    Flint, Michigan
    Posts
    5,766
    I believe he is not sure of the attacking IPs so whenever they access his forum he wants that IP blocked through iptables (the firewall).
    Mike from Zoodia.com
    Professional web design and development services.
    In need of a fresh hosting design? See what premade designs we have in stock!
    Web design tips, tricks, and more at MichaelPruitt.com

  5. #5
    Join Date
    Dec 2003
    Location
    New Zealand
    Posts
    1,265
    ooohhh ok, i didn't read his first post properly...

    Sorry

  6. #6
    Don't have one. It's on the way, ordered around 3 days ago. Slow!

    How exactly do I set it to run as root? (cPanel server).

  7. #7
    Join Date
    Jul 2003
    Location
    Nothing but, net
    Posts
    2,064
    Originally posted by gamesxposed
    Don't have one. It's on the way, ordered around 3 days ago. Slow!

    How exactly do I set it to run as root? (cPanel server).
    Have the script dump the IP information into a database and have a cron run as root to run another script to actually block the IPs every 5 minutes or so.

  8. #8
    Hmm, I have them all logging to a text file. THOUSANDS OF THEM, LITERALLY!

    No idea how to block them from here though...

  9. #9
    Join Date
    Feb 2004
    Posts
    772
    hi,

    try this one.

    <?php
    $addr = array("192.168.2.100", "192.168.2.102"); // array of IPs..
    foreach($addr AS $key=>$value)
    if (strstr($_SERVER['REMOTE_ADDR'], $value)_exit;
    ?>
    Bright Info Solutions

  10. #10
    There is probably 15,000 IP addresses. Bit hard to put them all into a php file to run.

    Is there an easier method to get the custom showthread.php to run as root? That way I can block as they access.

  11. #11
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    Is this a valid forum? If not replace it with a 0Kb file. Even if it is a valid forum you may want to put a very small message on it and then lower your http timeouts to extremely low values and raise your maxclients. That should at least help your other sites stay online.

    If you start blocking 15,000 IPs your server is going to crash, I tried it with a similiar DOS attack and the box pretty quickly fried itself and had to be rebooted.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  12. #12
    Join Date
    Jan 2003
    Location
    Lake Arrowhead, CA
    Posts
    789

    Re: Blocking IP using PHP

    Originally posted by gamesxposed
    Is there an easier method to get the custom showthread.php to run as root? That way I can block as they access.
    Even if you can do this, don't. Publicly accessible scripts running as root are a bad idea. If you're going to block them, do what LP-Trel said and log the IPs to a database (I'd also write code to match existing IPs and list entire subnets after X number of matches within a subnet), then have another (root) script running from a cron on the server to check that database periodically and block the IPs.

    They are currently attacking /showthread.php on my forum.
    That brings another question. What is the exact request? If the bots are doing something which normal visitors do not do, then you might be able to block them with a mod_security rule or other simple filter rather than multiple IP blocks. That would be FAR less intensive than scripting extra database calls on every request.
    http://www.srohosting.com
    Stability, redundancy and peace of mind

  13. #13
    Ended up using Perl, the forum that the bots were requesing WAS invalid. And I did replace it with a blank file.

    It was only invalid after I moved the location of the forum, users knew. Botnet kept attacking old location.

    The Perl script just watched domlogs for a while, pulling out all requests to the file. Store them into a seperate.txt then went through and dropped them.

    It is around 90% filtered. Near 15,000 IP addresses blocked. Not a problem with the server either.

  14. #14
    Join Date
    May 2005
    Location
    Balmumcu, Istanbul, TR
    Posts
    21
    great turnaround gg gamesxposed

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •