Linux Server (Nginx or Apache) methods to restrict IP access

The recent period of time has been plagued by spam comments, the server was once too high and downtime, see: wordpress spam Comment defense. Start to try a lot of methods can not be a good solution to the problem, and finally by shielding spam comments IP way, is solved this problem, of course, this method is not the best, but it is a very practical method.

Then some friends asked me how to screen these spam comments IP, and can share the spam comments IP, and friends ask how to extract their blog spam comments IP, this a little explanation, master skipped, I am a rookie.

Under Nginx Environment

Create a new denyip.conf file in the nginx.conf of the server/usr/local/nginx/conf directory, plus

Include denyip.conf;
Put the screened IP inside the denyip.conf

Deny 110.83.0.0/16;

Deny 110.84.111.0/24;

Deny 110.85.124.56;

After the save will denyip.conf upload to the/usr/local/nginx/conf directory, after the fix remember to restart Nginx.

Above I enumerated 3 in the Shield type, the first line is the shielding 110.83.*.* all IP, the second line is the shielding 110.84.111.* all IP, the third row is only shields 110.85.124.56 this IP.

The first line of shielding a larger range, it is easy to block, the third line of the most secure, but the more IP led to file will be very large, it is not too desirable, the second line of the way I currently use, the advantages of the disadvantage between 2 of this, we can freely choose.

Collection of spam Comment IP
Someone asked me how to collect these spam comment IP, in fact very simple, a SQL is done, and then excle processing.

First installs the Akismet plug-in, this plug-in will mark the spam comment as spam, only installs this one to be possible, any other anti-comment plugin does not install.

SELECT ' comment_author_ip ' from ' wp_comments ' WHERE ' comment_approved ' = ' spam '
After the implementation, export these IP, save CSV format, and then directly with excle Open, sort, go heavy, you get the only spam comment IP.

After you get the spam comments, you can follow the instructions above.

In Apache Environment

Space support. htaccess

<limit Get head post>

Order Allow,deny

Deny from 110.85.104.152

Deny from 110.85.113

Deny from 110.85.113.0/24

Deny from 110.87

Deny from 110.87.0.0/16

Deny from 110.86.167.210 110.86.184.181

Deny from 110.86.185.0/24 110.86.187.0/24

Allow from all

</Limit>
Apache on the restrictions on the way IP is written more than a variety of IP began the first line, is the most common limit unique IP, the second line with the third line of content is the same, limited 110.85.113.* all the IP; line 45th is the same, restricting all IP under 110.87.*.* Line six is to limit the 2 IP, the 7th line is to display the two IP segments; note that multiple IP restrictions are separated by spaces.

Currently I collect the spam comment IP
After about a week of statistics, the current collection of a group of spam comments IP, with the pure IP batch ran these IP, which is the majority of Putian city in Fujian, the United States are also many. If you are also suffering from spam comments, you can use this method and IP, I will regularly update the IP data.

iptables IP restrict access to specified IP access

Allow only one IP access server specified

Vi/etc/sysconfig/iptables

*filter
: INPUT ACCEPT [0:0]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [0:0]

-A input-s 165.232.121.17-j ACCEPT
-A input-j DROP
COMMIT

Iptables Restrict IP Access

Restrict access via iptables to Port 9889 (only 192.168.1.201, 192.168.1.202, 192.168.1.203), and no other IP
Iptables-i input-p TCP--dport 9889-j DROP
Iptables-i input-s 192.168.1.201-p TCP--dport 9889-j ACCEPT
Iptables-i input-s 192.168.1.202-p TCP--dport 9889-j ACCEPT
Iptables-i input-s 192.168.1.203-p TCP--dport 9889-j ACCEPT

If your previous firewall is set to permanently shut down, you need to remove

Chkconfig--list View Boot service, find the service name you want to turn off
Chkconfig--level 235 Service name off "at level 3 and 5 for boot service"

The system runs at a level of 0-6, just 0-6 in/etc/inittab.

Level 0 means: the shutdown

Level 1: Single user mode

Level 2 means: Multi-user command-line mode with no network connection

Level 3 means: Multi-user command-line mode with network connections

Level 4 indicates: Not available

Level 5 means: Multi-user mode with graphical interface

Level 6 says: Reboot 2011/10/26