Block IP address for certain time period

Question

I have created a php script which generally counts how many times an IP address accessed our site more than x number of times within 1 minute.

Afterwards I created a shell script top ban those ip addresses to access port 80 who exceeded x number of hit count.

which is as follows:

BLOCKDB=/tmp/ip.blocked
IPS=$(grep -Ev "^#" $BLOCKDB)
echo IPS
for i in $IPS
do
 /sbin/iptables -A INPUT -p tcp --destination-port 80 -s $i -j DROP
 /sbin/service iptables save
 /sbin/service iptables restart
 echo "Block ALL INPUT from " $i " net DROPPED."
done

What is required

I would like to ban these ip addresses for certain time period say for 1 day (86400 seconds) or more, after that it again open 80 port for them?
How can I send mail to myself i.e. x number of ip addresses banned to access foo.com?
Is there any way my script can be enhance, so that it will read only those ip addresses from /tmp/ip.blocked which are not banned via script (iptables)?

Please advise.

@fukawi2 thanks for the tip. Any other advise you want to give for the remain queries? — Sukhjinder Singh, Dec 19 '12 at 10:30
As mentioned below, use fail2ban instead of reinventing the wheel. — fukawi2, Dec 19 '12 at 22:21

score 3 · Answer 1 · answered Dec 18 '12 at 17:41

3

The usual answer is fail2ban. You may have to customize it a bit in order to read your web access logs.

answered Dec 18 '12 at 17:41

Michael Hampton

237,123
42
477
940

It is complex to work with, so I decided to create my own script. – Sukhjinder Singh Dec 18 '12 at 17:46
1

Fo realz?? fail2ban is as simple a system as I've ever found for this task... I'd be very interested in your script and how much time you put into it. – Chris S Dec 18 '12 at 17:47
Man, i hope you don't ever have to try [DenyHosts...](http://denyhosts.sourceforge.net/) - It blew my mind! – ewwhite Dec 18 '12 at 17:54
@ChrisS I am not expert in regular expression this is one out of many reason why I have not chosen fail2ban. Another major reason is I do not know how to exempt Googlebot and Binngbot as well. Ultimately it's boils down to if you have good knowledge about fail2ban than go with it otherwise if you're a beginner you will be instate where you are banning good users as well without knowing the reason. Between I tried to get answer for fail2ban as well but looks like no one is answering there http://serverfault.com/questions/456959/ip-bases-access-control-list-script – Sukhjinder Singh Dec 18 '12 at 17:58
fail2ban is exactly what you're after. It can handle excluding certain hosts, time-based bans and emailing you. You're far better off investing the time to learn fail2ban, than reinventing the wheel with your own scripts. – fukawi2 Dec 18 '12 at 22:56

Block IP address for certain time period

1 Answers1