August 28, 2016
After having generated an HTML report with GoAccess of this web site's current access log I noticed two IPs that had made a lot of requests to my site; 220.127.116.11 and 18.104.22.168. The top search in Google for the first IP address led to IP Reports for 22.214.171.124. The origin of the IP address is the Russian Federation, and the page warns "Lots of activity from this IP in the last few days."
I used SpamCop to look up an abuse email address for 126.96.36.199. The page lists one reporting address: seodedic at gmail.com. An abuse address referring to search engine optimization (SEO) for an IP address that's suspiciously active on my site; pointless to complain.
A whois look up showed that both IP addresses belong to the range 188.8.131.52 - 184.108.40.206 with a netname of "seodedic". Time to block this range using
So I accessed the VPS which hosts this site, changed to the root account and used
vi to add the following line to
-A INPUT -p tcp -s 220.127.116.11/24 -j REJECT
This rule rejects all TCP traffic with a source IP address in range 18.104.22.168 - 22.214.171.124, inclusive.
After I had written the change back to the file and quit
vi I updated the current firewall rules using:
iptables-restore < /etc/iptables.up.rules
A few hours later I generated a new HTML report from the current Apache web server access log using GoAccess. The hit counts for both IP addresses hadn't changed; good.
Blog - Email - Twitter