The website is under DDOS, the cloud service is doing a pretty good job for a cost of dozen bugs a month. We are happy!
However the attackers have been hitting our site with IP. Currently, we 301 forward them to the DNS name (managed by could security service). This is not enough as the volume is quite high for even 301 response
Is there a way to block and/or log their IPs.
Thank you
Answer
You can simply log it with iptables.
iptables -A INPUT -i eth0 -p tcp -m limit -j LOG --log-prefix "[defence:input_request_ipv4] "
Remember that this just rule for Your question task – if You have another iptables rules it is necessary correctly insert new rules.
May be You will need also do it for IPv6. First check with ifconfig command that have You ipv6 address. And second check that Your web-server listen IPv6 too – in cond=fig for virtual host will be something like this: [::]. For ipv6 rule will be:
ip6tables -A INPUT -i eth0 -p tcp -m limit -j LOG --log-prefix "[defence:input_request_ipv4] "
You also can collect ip-addresses with Your web-server access log. Nginx do it very good and fast 🙂
UPDATE
For nginx logging – it depend from Your settings.
Main idea.
In nginx.conf in http section define params for log format:
log_format defense_log '$remote_addr $remote_user [$time_local] "$request" status:$status bytes_sent:$bytes_sent gzip_ratio:$gzip_ratio connection_requests:$connection_requests request_length:$request_length connection-serial-number:$connection request_time:$request_time "$http_user_agent" "$http_referer"';
In config for site (usually it is in conf.d directory) in location section:
access_log /path/for/my/log/nginx_defence.log defense_log;
Reload nginx with and You get detailed information about all requests to Your site.
Good luck in fighting with bad guys!!
Attribution
Source : Link , Question Author : Phung D. An , Answer Author : Sergey Serov
