Question

How do I permanently block a remote IP address in Linux ?

How do I permanently block a remote IP address?

I have been using a network traffic monitor to look at some suspicious network activity and I found an IP from an entry.
I ran a WHOIS on the IP address and it shows a system administrator from Mumbai, India: 1.187.0.0

I live in the USA and I don't use any softwares, services, or programs from India.
I don't know anybody in India, and I don't go to Indian websites.
Therefore, I am OK with doing an IP block of the entire country of India if somebody knows how.

But my main question is how do I block any IP address in My Linux OS ?

I really would like to do this because the number of processes logging in from the remote address is kind of high.
It seems to start whenever I run it.

I tried running GUFW, but it's too complicated for me. I don't understand the syntax of IPtables.
So should i make changes in the command line itself or either use any Content filter tools ?

Promotional link removed by moderator,

Post was last edited on April 20, 2016 5:21 AM PDT

Discussion is locked
Follow
Reply to: How do I permanently block a remote IP address in Linux ?
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: How do I permanently block a remote IP address in Linux ?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Answer
You need someone to come in and do this for you it seems.
- Collapse -
Re: IT staffer

If I google CLEAROS NICK MARTIN (ClearOS is what nickmartin24 links to so often), that tells beyond doubt that he's closely related to the company. It's a pity to see Linux being sold by people who don't even understand how to use it.
Maybe somebody else uses his name.

- Collapse -
That's sad to read.

I don't like disingenuous questions like this one.

Maybe Nick is a shill for Clearos and we need to avoid being nice about it.

- Collapse -
Answer
Fairly simple

Linux uses a "hosts" file same as windows. Use it to block the IP address and/or domain name. Open the host file as root and add the site.

example;

0.0.0.0 186.192.1.1
0.0.0.0 damn_domain.com

You can google hosts file and even find some that's filled out already to block a lot of tracking sites too.

the hosts file is in /etc for linux.

Here's an truncated example of the one I use.

# Ad server list for use with hosts files to block ads
#
# For more information about this list, see: http://pgl.yoyo.org/adservers/
# ----
# last updated: Mon, 23 Sep 2013 16:38:04 GMT
# entries: 2537
# format: hosts (hosts -- in hosts file format)
# credits: Peter Lowe - pgl@yoyo.org - http://pgl.yoyo.org/
# this URL: http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&useip=0.0.0.0
# other formats: http://pgl.yoyo.org/adservers/formats.php
#
0.0.0.0 decider.com
0.0.0.0 98.137.200.205
0.0.0.0 beap2.cbs.vip.bf1.yahoo.com
0.0.0.0 beap.gemini.yahoo.com
0.0.0.0 ad.lijit.com
0.0.0.0 edge.quantserve.com
0.0.0.0 taboola.com
0.0.0.0 ap.lijit.com
0.0.0.0 underdogmedia.com
0.0.0.0.udmserve.net
0.0.0.0 ad.doubleclick.net
0.0.0.0 siteintercept.qualtrics.com
0.0.0.0 qualtrics.com
0.0.0.0 r.flite.com
0.0.0.0 static.flite.com
0.0.0.0 flite.com
0.0.0.0 p.flite.com


http://www.bleepingcomputer.com/tutorials/hosts-files-explained/

- Collapse -
Re: hosts

That's interesting. The OP asks about 'processes logging in from the remote address". The entry in hosts doesn't block incoming traffic because it blocks a domain or subdomain (by pre-empting the DNS system). Remotely logging in doesn't use DNS, so doesn't use the hosts file.

To block incoming traffic you need a firewall.

You write "to block the IP address and/or domain name". I've never seen a hosts file used to redirect an IP-address to another IP-address (for example, map any 1.187 address to 0.0.0.0, which would effectively block the answer, so the whole communication and the whole login). What would be the syntax in a hosts file to do that?

- Collapse -
Well there is a non firewall idea here.

I bet I could use a "route" in my routing table for that IP address to nowhere.

A firewall would be a better idea but if I had no firewall, a route entry would kill it.

- Collapse -
It blocks anything going back to that domain

As for GUFW, it's not really that hard, there are generalized settings. It also shows who is connected to your computer. Three areas are Business, Home, Public. The average desktop user can choose to Deny or Accept two choices for each one, Incoming and Outgoing. I'd set it for Deny on both for Business and Public, and Deny Outgoing on Home, but need to allow Incoming for internet use. On the shield area, green is blocked, red is open. That way you only have to do rules for the Home Incoming. There's a listening report to show who is connecting, you can then hilite a problem there, then choose the Rules section and either Deny, Reject, or Allow. You can also do that to generalized Sub Categories like "Remote Access". You can use the Simple rule instead and choose the IN and OUT and give each an Allowed, or Deny, or Rejected.

Also most routers have a firewall built into them and an Access Control area where specific IP or domains may be blocked at the router itself. I'd investigate that one and then back it up with HOSTS entry and use the Simple in the Home section of GUFW.

- Collapse -
Answer
Block a remote Address in Linux

I think your server is on public ( and not behind the NAT ). Put IPtable service on your linux box ( Any vannilla firewall service, by default does not allow any ( DENY ALL is the default rule ). Allow only the port you want to connect from outside world. For example 22, 80 etc.

Put an entry something similar to
/sbin/iptables -I INPUT -s "IP ADDRESS" -j DROP
for a particular IP. You can do the same for Network range also.

CNET Forums