iptables禁止某Ip

今天登录服务器一看，好家伙：

tcp        0      0 198.74.121.150:80           38.103.160.12:33873         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:45654         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:49337         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:35410         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:53982         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:55487         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:38964         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:39560         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:51861         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:60211         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:38490         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:48588         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:51625         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:47497         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:40164         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:42071         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:49687         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:59726         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:52097         TIME_WAIT   -                   
tcp        0      0 198.74.121.150:80           38.103.160.12:46378         TIME_WAIT   -

这尼玛绝对是非正常现象，想查看各个链接状态可以用下面的语句

netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'

结果如下：

TIME_WAIT 10968

我就呵呵了，看了一下这个ip，米国的，发现blocklist上面这个IP也上榜了

Date +-1 Min +0100:	Host:	                    Service:	    On Server:	        to:	Status:
15.11.2014 15:00:54	cpanel2.ospdx.com	bruteforcelogin	hacked-joomla/brobot		blocked
15.11.2014 12:00:51	cpanel2.ospdx.com	bruteforcelogin	hacked-joomla/brobot		blocked
14.11.2014 21:07:00	cpanel2.ospdx.com	bruteforcelogin	hacked-joomla/brobot		blocked
14.11.2014 18:05:50	cpanel2.ospdx.com	bruteforcelogin	hacked-joomla/brobot	1 x	blocked
12.11.2014 06:04:33	cpanel2.ospdx.com	bruteforcelogin	hacked-joomla/brobot		blocked
12.11.2014 03:07:11	cpanel2.ospdx.com	bruteforcelogin	hacked-joomla/brobot		blocked
12.11.2014 00:10:14	cpanel2.ospdx.com	bruteforcelogin	hacked-joomla/brobot		blocked
11.11.2014 21:10:53	cpanel2.ospdx.com	bruteforcelogin	hacked-joomla/brobot		blocked
11.11.2014 18:09:53	cpanel2.ospdx.com	bruteforcelogin	hacked-joomla/brobot		blocked
11.11.2014 15:05:37	cpanel2.ospdx.com	bruteforcelogin	hacked-joomla/brobot		blocked
11.11.2014 12:08:18	cpanel2.ospdx.com	bruteforcelogin	hacked-joomla/brobot	1 x	blocked

没啥说的，直接封IP吧，执行 iptables -I INPUT -s ***.***.***.*** -j DROP

如果想解封某ip,把I换成D即可。

最后，可以使用 iptables --list 查看当前规则列表。