Topic: Ip baning

[bpivk]

Hy

How can i ban an IP (external not local)? Can i find any RPM's to install and to do this from server-manager console?

Thanks for reply

[raem]

bpivk

> How can i ban an IP (external not local)?

Searching, searching.........
Ping !

http://forums.contribs.org/index.php?topic=33023.0

[bpivk]

Boing! Wrong answer.  

I need something to ban a specific ip from my site or all of the sites (ibay's) not from smtp server (i have spamfilters for that).

[raem]

bpivk

Boing! Wrong question !

Your question is vague & inconsistent.

First you ask:
How can i ban an IP (external not local)?
Then you say:
 I need something to ban a specific ip from my site or all of the sites (ibay's)

Doesn't from my site mean a local IP, not an external IP ?

What actually are you trying to ban this IP from doing ?
What is the IP for or of, a local workstation, a remote workstation, a remote site ???

Please explain better than you have already.

[bpivk]

Ok I'll try to explain...

Let's say that I have a site www.google.com and i want to keep you from accessing it. The way i would do it would be that i ban your ip. Now how do i do that.

Is that good enough?

[Mjohnson]

It would seem you have a couple of realistic options to explore, and  I am not sure configuring SME is a practical approach.  

Option 1 would be to explore your server appication and see if it allows or can be configured to ban an IP.  For instance, phpBB does have such a feature and is easily configured via the administrator panel.

Option 2 would be to configure your firewall appropriately, whether that is SME or some other device.  I suppose you could use IPTables to accomplish this, but since you are asking how to do this, I am doubting you would know how to proceed on that path.

Banning of specific IP's for web site access is not a great way to prevent access.  IP's are easily randomized, changed or otherwise spoofed.  Any lamely talented mildly determined person could overcome that with a quick Google search.

...and I am not a big fan of being Boing'd....lol

[bpivk]

Well the people i want to ban don't know jack s**t about computers. They only know how to turn it on so proxy servers and stuff aren't an option for them.

I read about ip tables but i wanted to know if there is any other (simpler) way (eg.: type some commands in putty "ban ip ***" or "unban ip ***").

I want to deny them access to all of sme services it would take a lot of time to ban them on all sites that i put up. Some of them don't even have ip ban function (some html sites).

[cactus]

I want to deny them access to all of sme services it would take a lot of time to ban them on all sites that i put up. Some of them don't even have ip ban function (some html sites).

If you want to ban them from accessing HTML or other web content, you may also be aple to use the appropriate keywords from apache, like allowing/denying access from certain Ip numbers, using 'allow from' and 'deny from'.

[bpivk]

And how do i do that? I read something about httpd.conf and baning ip trough that but i don't know where the file is.

But i agree that the best option would be to add them to my sme firewall rule or by baning them trough apache. That's the reason i'm posting this question.

[warren]

I read about ip tables but i wanted to know if there is any other (simpler) way (eg.: type some commands in putty "ban ip ***" or "unban ip ***").

/sbin/iptables -I INPUT -s xxx.xxx.xxx.xxx  -i eth1 -j DROP

You'd have to template this to survive reboot though.

[piran]

[make a template file]
pico /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyWhomever

[edit troublesome areas]
/sbin/iptables -A INPUT -s xxx.0.0.0/32 -j DROP # isolates 1 IP - Single IP
/sbin/iptables -A INPUT -s xxx.0.0.0/24 -j DROP # isolates 256 IPs - Class C
/sbin/iptables -A INPUT -s xxx.0.0.0/16 -j DROP # isolates 65536 IPs - Class B
/sbin/iptables -A INPUT -s xxx.0.0.0/8 -j DROP # isolates 16777216 IPs - Class A

[save template]
Ctrl-X | y | <return>

[expand template]
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

[implement template]
service masq restart

[enjoy a bit of peace and quiet until the next criminal/pervert starts up]
;~)

[bpivk]

Thanks
And how do i remove someone from my template?

[piran]

...!?
Edit out what is 'now' not required.
Expand the template and restart masquerading.
If you didn't know that about templates
I should remind you to exercise great care
when dealing with masquerading/iptables;~)
Using the above will render your site 'invisible'
to web browsing and emails from designated IPs.

[Rory]

When I want to deny access for an IP or an entire subnet from viewing my website I add them to my .htaccess file.  You can find more information about .htaccess from the Apache website, or search for .htaccess in the contribs.  Once you have .htaccess running and find more people that you need to ban you can go down one line and add another deny from then add there IP address

[piran]

The use of .htaccess route is somewhat deprecated nowadays...
sound and good reasons really but inconvenient to us single user
(and thus fewer associated security concerns) site .htaccessholics;~)
My masquerading set wavers between 3 or 4 thousand line entries.
THAT many .htaccess lines (PER DIRECTORY PER SITE etc) would
prove somewhat onerous - both for the CPUs and my editing... YMMV