0

We are using nginx and seem flooded by an IP address that that's not going away even after putting it in firewall and usng tcpkill.

$ netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
    22 66.135.60.154
    4 104.25.218.111
    3 66.249.64.6


$ sudo iptables -I INPUT -m iprange --src-range 66.135.60.0-66.135.60.255 -j DROP

$ sudo tcpkill -i eth0 host 66.135.60.154

After thus netstat still shows the IP address. Have tries restarting nginx several times but not helping.

Any idea?

Mugoma J. Okomba
  • 173
  • 3
  • So netstat shows that IP in it's list or is it actually a proxied ip and carried in the x-forwarded-for? – hookenz May 15 '17 at 21:26
  • @Matt can't tell whether it's proxied. How do I identify that? – Mugoma J. Okomba May 15 '17 at 21:29
  • Is your server directly connected to the internet or behind a NAT device/firewall? netstat -L should show the address you're trying to block. If it's not there then you can't do what you're doing. – hookenz May 15 '17 at 21:36
  • If you're still not sure, what is your IP address? what does ifconfig show? – hookenz May 15 '17 at 21:37
  • @Matt We are using `iptables` and not any particular firewall. `netstat -L` gives `netstat: invalid option -- 'L'` – Mugoma J. Okomba May 15 '17 at 21:42
  • sorry just netstat no options. So used to typing -l – hookenz May 15 '17 at 21:48
  • @Matt it's possible something else could be wrong with nginx. At this time we the IPs have disappeared but nginx is still not accessible. it gives **502 Bad Gateway** which might mean either something wrong with nginx itself or with php-pfm – Mugoma J. Okomba May 15 '17 at 22:17
  • Or a misconfiguration. Are you sure 66.135.60.154 is not your own IP range? Seems to resolve to a web page with the words Aljoumhouria. Is that yours? – hookenz May 15 '17 at 22:26
  • @Matt No it's not. But we managed to identify the problem. We had put some rules in the firewall that seemed to have annihilated nginx. We removed the rules and now nginx is working. – Mugoma J. Okomba May 15 '17 at 22:48

0 Answers0