August 28, 2016

After having generated an HTML report with GoAccess of this web site's current access log I noticed two IPs that had made a lot of requests to my site; 46.161.9.31 and 46.161.9.32. The top search in Google for the first IP address led to IP Reports for 46.161.9.31. The origin of the IP address is the Russian Federation, and the page warns "Lots of activity from this IP in the last few days."

I used SpamCop to look up an abuse email address for 46.161.9.31. The page lists one reporting address: seodedic at gmail.com. An abuse address referring to search engine optimization (SEO) for an IP address that's suspiciously active on my site; pointless to complain.

A whois look up showed that both IP addresses belong to the range 46.161.9.0 - 46.161.9.255 with a netname of "seodedic". Time to block this range using iptables.

So I accessed the VPS which hosts this site, changed to the root account and used vi to add the following line to /etc/iptables.up.rules:

-A INPUT -p tcp -s 46.161.9.0/24 -j REJECT

This rule rejects all TCP traffic with a source IP address in range 46.161.9.0 - 46.161.9.255, inclusive.

After I had written the change back to the file and quit vi I updated the current firewall rules using:

iptables-restore < /etc/iptables.up.rules

A few hours later I generated a new HTML report from the current Apache web server access log using GoAccess. The hit counts for both IP addresses hadn't changed; good.

Blog - Email - Twitter

I am a freelance Perl programmer for hire, download my up-to-date resume (PDF).