Results 1 to 14 of 14
Thread: Blocking IP using PHP
-
06-03-2005, 03:25 AM #1Junior Guru
- Join Date
- Dec 2002
- Posts
- 216
Blocking IP using PHP
Well, my server is under a massive botnet attack.
They are currently attacking /showthread.php on my forum.
I was wondering if anyone knew a good method of blocking an IP address from PHP? So when the bot's access the page, it drops their IP from server. Don't worry about legit users, I have emailed them telling where the forum has moved too for time being.
What I thought:
Code:<?php $ipaddy = $REMOTE_ADDR; $command = shell_exec(iptables -I INPUT -s $ipaddy -j DROP); //echo "$command"; ?>
-
06-03-2005, 04:11 AM #2Web Hosting Master
- Join Date
- Nov 2003
- Location
- Canada
- Posts
- 881
In order to make it work the php script must be run as root (this means running apache as root). If you are running as root try this and see if you get any usefull output:
PHP Code:<?php
$ipaddy = $REMOTE_ADDR;
passthru("iptables -I INPUT -s $ipaddy -j DROP");
?>
-
06-03-2005, 04:23 AM #3Hosting Systems Specialist
- Join Date
- Dec 2003
- Location
- New Zealand
- Posts
- 1,265
Why not block it at firewall point?
-
06-03-2005, 04:32 AM #4Retired Moderator
- Join Date
- Sep 2004
- Location
- Flint, Michigan
- Posts
- 5,766
I believe he is not sure of the attacking IPs so whenever they access his forum he wants that IP blocked through iptables (the firewall).
█ Mike from Zoodia.com
█ Professional web design and development services.
█ In need of a fresh hosting design? See what premade designs we have in stock!
█ Web design tips, tricks, and more at MichaelPruitt.com
-
06-03-2005, 04:40 AM #5Hosting Systems Specialist
- Join Date
- Dec 2003
- Location
- New Zealand
- Posts
- 1,265
ooohhh ok, i didn't read his first post properly...
Sorry
-
06-03-2005, 04:48 AM #6Junior Guru
- Join Date
- Dec 2002
- Posts
- 216
Don't have one. It's on the way, ordered around 3 days ago. Slow!
How exactly do I set it to run as root? (cPanel server).
-
06-03-2005, 05:15 AM #7Web Hosting Master
- Join Date
- Jul 2003
- Location
- Nothing but, net
- Posts
- 2,064
Originally posted by gamesxposed
Don't have one. It's on the way, ordered around 3 days ago. Slow!
How exactly do I set it to run as root? (cPanel server).
-
06-03-2005, 05:29 AM #8Junior Guru
- Join Date
- Dec 2002
- Posts
- 216
Hmm, I have them all logging to a text file. THOUSANDS OF THEM, LITERALLY!
No idea how to block them from here though...
-
06-03-2005, 05:31 AM #9Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 772
hi,
try this one.
<?php
$addr = array("192.168.2.100", "192.168.2.102"); // array of IPs..
foreach($addr AS $key=>$value)
if (strstr($_SERVER['REMOTE_ADDR'], $value)_exit;
?>Bright Info Solutions
-
06-03-2005, 05:34 AM #10Junior Guru
- Join Date
- Dec 2002
- Posts
- 216
There is probably 15,000 IP addresses. Bit hard to put them all into a php file to run.
Is there an easier method to get the custom showthread.php to run as root? That way I can block as they access.
-
06-03-2005, 10:26 AM #11Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
Is this a valid forum? If not replace it with a 0Kb file. Even if it is a valid forum you may want to put a very small message on it and then lower your http timeouts to extremely low values and raise your maxclients. That should at least help your other sites stay online.
If you start blocking 15,000 IPs your server is going to crash, I tried it with a similiar DOS attack and the box pretty quickly fried itself and had to be rebooted.John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
06-03-2005, 10:46 AM #12Web Hosting Master
- Join Date
- Jan 2003
- Location
- Lake Arrowhead, CA
- Posts
- 789
Re: Blocking IP using PHP
Originally posted by gamesxposed
Is there an easier method to get the custom showthread.php to run as root? That way I can block as they access.
They are currently attacking /showthread.php on my forum.http://www.srohosting.com
Stability, redundancy and peace of mind
-
06-04-2005, 03:04 AM #13Junior Guru
- Join Date
- Dec 2002
- Posts
- 216
Ended up using Perl, the forum that the bots were requesing WAS invalid. And I did replace it with a blank file.
It was only invalid after I moved the location of the forum, users knew. Botnet kept attacking old location.
The Perl script just watched domlogs for a while, pulling out all requests to the file. Store them into a seperate.txt then went through and dropped them.
It is around 90% filtered. Near 15,000 IP addresses blocked. Not a problem with the server either.
-
06-04-2005, 10:33 AM #14Newbie
- Join Date
- May 2005
- Location
- Balmumcu, Istanbul, TR
- Posts
- 21
great turnaround gg gamesxposed