How can I block all the incoming traffic from unresolved IP addresses? I am using CentOS with WHM/cPanel installed. I am getting huge junk traffic and 95% is from unresolved IP addresses and only 5% from resolved IP addresses. Is there any easy way to block the inbound traffic from all unresolved IP addresses?
I am afraid, I am even having trouble with DDOS attacks, AWStats showing I am having thousands of hits every minute and none of them are useful.
Any help is highly appreciated.
Thanks
If you're talking about "unresolved IP's" as seen in AwStats, then no. There is no way to do this from a firewall.
"Unresolved" refers to the fact that the IP address has no reverse-dns set up. This is becoming the norm for "non servers"! This means IF you could block based on this, you'd block a lot of DSL lines and other home-user connections.
Technically, blocking an IP based on whether or not it has a reverse-dns, would require a DNS lookup for each new IP. DNS lookups can be slow, like several seconds slow, and this would simply slow everything down with a vengeance, having to do this inline in a firewall.
Sorry.
I agree with @thelogix that this is probably a Very Bad Idea because it would block legitimate users and - depending on its implementation - possibly slow down your service.
But if you still want to to it, here are two ways of doing it.
First thing, you want to set up a local DNS cache to speed things up. Set high TTLs for negative caching (in case of Bind look for 'max-ncache-ttl'). And make sure your system is actually using it.
Now you have two possible strategies: When a new client request comes in, do you want to
First make a reverse DNS lookup and wait for its result before you decide whether or not to accept the connection? Veeerryy slowwww
Allow the TCP-handshake to proceed, and only block the IP address in hindsight once you learned that is has no valid PTR record?
For strategy 1 (check before allow): Many webservers can do client authentication based on reverse DNS. You might have to play with Regex a bit or compile a list of all TLDs in order to setup a rule that matches any domain name, but no IP address.
Require host .com .net .org .edu .us .uk .jp # ... all TLDs
rdns_allow .*[a-zA-Z]; deny all;
If your web service doesn't support this feature, you could put nginx or apache as a reverse http proxy in front.
For strategy 2 (block lazily): Make the webservice logs the reverse DNS name of the client (Apache: HostnameLookups; nginx: not sure, maybe above rDNS module again). Then install fail2ban. Most Linux distributions come with a reasonably pre-configured fail2ban package. Configure it to watch the web log, match (non-resolved) IP addresses and block that very IP address.
Note that fail2ban by default blocks in the iptables 'filter' table. In most cases, that will not block TCP connections that are already established. If you want fail2ban to cut established connections, configure it to 'DROP' in the 'mangle' table (e.g. the mangle chains 'PREROUTING' or 'INPUT')
