Attacker IPs

Support for security such as Firewalls and securing linux
Post Reply
yeknafar
Posts: 13
Joined: 2018/07/12 21:13:09

Attacker IPs

Post by yeknafar » 2018/07/12 22:05:58

Hello

Thanks for your attention.
I am using a cload to prevent DDOs attacks on my site and it is supposed just I see the IP of my cload on my server but when I check it with

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

I see many strange IPs and when I Google them I find they are attacker IPs.


- I am using centos web panel (CWP).

Now I wonder:
- Why they come to my site directly and do not go through the cload to prevent them? (I do not think they have my IP, I have used 2 different cloads)

- I ban them manually, can it becomes an auto action?
- Are they doing Slowris attack on my site? (Because I receive for example 335 load average and database error sometime or even 3 times a day with low bandwith)

- Is it a good job to ban the most famous attacker IPs ? If yes how can I get the list?


Thanks

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Attacker IPs

Post by TrevorH » 2018/07/13 06:20:19

- I am using centos web panel (CWP).
Off topic here, please see viewtopic.php?f=12&t=66365
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: Attacker IPs

Post by lightman47 » 2018/07/13 11:33:53

For the most part "they" are bots that bang-away at IPs. They don't have yours until they get to it and your machine responds - then they have it.

I use fail2ban as I must use passwords, with retrys set really low. It's a little bit to set up but works nicely.

Post Reply