How to restrict IP access on a linux Server (nginx or apache)

To restrict ip address access to a website, we can also restrict IP address access by using nginx or apache environments in addition to fire prevention or computer room fire prevention. Let's take a look.

I have been suffering from spam comments for some time, and the server was once overloaded. For more information, see WordPress spam comments defense. I tried a lot of methods to solve the problem, and finally blocked the spam comment IP address to solve this problem. Of course, this method is not the best, but it is indeed a very practical method.

Then some friends asked me how I blocked the spam comments and whether I could share the spam comments. Some friends asked me how to extract the spam comments from my blog, I am also a cainiao.

Nginx Environment

Create the denyip. conf file and add it to nginx. conf in the/usr/local/nginx/conf directory of the server.

Include denyip. conf;
Place the blocked IP address in denyip. conf.

Deny 110.83.0.0/16;

Deny 110.84.111.0/24;

Deny 110.85.124.56;

After saving the file, upload denyip. conf to the/usr/local/nginx/conf directory, and restart nginx.

The blocking type in 3 is listed above. The first line is blocking 110. 83. *. * All IP addresses. The second line is to block 110.84.111. * All IP addresses. The third line is to block the IP address 110.85.124.56.

The blocking scope of the first line is large, and it is easy to block it by mistake. The fatigue of the third line is the safest, but the more IP addresses, the larger the file size, which is not very advisable, the method in the second line is my current use, with the advantage and disadvantage being between 2. You can choose freely.

Collection of spam comment IP addresses
Someone asked me how to collect these spam comments. In fact, it's very easy to do it with an SQL statement, and then Excle it.

First install the Akismet plug-in. This plug-in will mark spam as spam. Only install this one. Do not install any other anti-Comments plug-ins.

SELECT 'comment _ author_IP 'FROM 'wp _ comments 'where' comment _ approved' = 'spam'
After the execution, export these IP addresses, save the csv format, and then directly use Excle to open, sort, and de-duplicate the IP addresses to obtain the unique spam comment.

After getting spam comments, you can follow the above method.

Apache Environment

Space support. htaccess

<Limit get head post>

Order allow, deny

Deny from 110.85.104.152

Deny from 110.85.113

Deny from 110.85.113.0/24

Deny from 110.87

Deny from 110.87.0.0/16

Deny from 110.86.167.210 110.86.184.181

Deny from 110.86.185.0/24 110.86.187.0/24

Allow from all

</Limit>
There are many ways to restrict IP addresses in apache. the first line of the IP address is the most common and unique IP address restriction. The second line is the same as the content expressed in the third line, with the limit of 110.85.113. * All IP addresses. The fourth and fifth lines are the same, with a limit of 110. 87. *. * All IP addresses. The sixth line is to restrict the two IP addresses, and the second line is to display the two IP segments. Note that multiple IP addresses are separated by spaces.

IP address of the spam comment currently collected by me
After about a week of statistics, we have collected a batch of spam comments and ran these IP addresses in batches using pure IP addresses, most of which are in Putian, Fujian, and many in the United States. If you have suffered from spam comments, you can use this method and IP address. I will update IP address data on a regular basis.

Iptables IP limit access by specified IP Address

Only one specified IP address is allowed to access the server.

Vi/etc/sysconfig/iptables

* Filter
: Input accept [0: 0]
: Forward accept [0: 0]
: Output accept [0: 0]

-A input-s 165.232.121.17-j ACCEPT
-A input-j DROP
COMMIT

Iptables restricts ip Access

Use iptables to restrict access to port 9889 (only 192.168.1.201, 192.168.1.202, and 192.168.1.203 are allowed). Access from other ip addresses is prohibited.
Iptables-I INPUT-p tcp -- dport 9889-j DROP
Iptables-I INPUT-s 192.168.1.201-p tcp -- dport 9889-j ACCEPT
Iptables-I INPUT-s 192.168.1.202-p tcp -- dport 9889-j ACCEPT
Iptables-I INPUT-s 192.168.1.203-p tcp -- dport 9889-j ACCEPT

 

If your firewall has been permanently disabled, you need to remove it.

View the startup service in chkconfig -- list and find the service name to close.
Chkconfig -- level 235 service name off [enable service on level 3 and 5]

The system running level is 0-6, which is 0-6 in the/etc/inittab.

Level 0: Shutdown

Level 1: Single User Mode

Level 2: multi-user command line mode without network connection

Level 3: multi-user command line mode with network connection

Level 4: unavailable

Level 5: multi-user mode with graphic interface

Level 6: restart