# BAN an IP..

## Gentoo_boy

I've got 2 noob questions..  :Smile: 

1) How to BAN someone's IP forever using "hosts.deny"?

2) Is there any other way to BAN an IP forever(using apache)?

please answer me.. any idea/tips would be just great..

Thanks in advance

----------

## tycho1983

just create a kernel firewall rule ....

----------

## Gentoo_boy

 *tycho1983 wrote:*   

> just create a kernel firewall rule ....

 

How to do that, could you please explain it clearly? 

Thanks.

----------

## Evil Dark Archon

you could always use the firewall module of webmin (emerge webmin if you don't have it). but there are quite a few iptables front-ends in portage, just browse the net-firewall directory of portage, just beware that some of them are old and might not compile.

----------

## Gentoo_boy

I never heared abt webmin, will try though.. thanks for the information.

Btw, do you guys think that 'host.deny' is less powerful to BAN an IP?

I've tried 'host.deny'(ALL: IP_ADDRESS), it doesn't seems to be working for me..  :Sad:  Could anyone tell me whats wrong with it?

----------

## abali

/etc/hosts.{deny,allow} are taken into account only by applications that use the so-called TCP wrapper (sys-apps/tcp-wrappers). Apache is not a such an application, while openssh (and all other packages that recognize the "tcpd" USE flag) are. Therefore to ban an IP for all applications regardless whether they use the TCP wrapper or not, you'll have to use kernel-level firewall rules. Such rules can be entered using the "iptables" program that has a great two-part tutorial in the "Documentation, tips & tricks" section of this forum. To simply block all incoming packets from a specific IP, you'd have to use the following command (provided you have all the prerequisites installed):

```
$ iptables -A INPUT -s 1.2.3.4 -j DROP
```

This will cause all network packets coming from 1.2.3.4 to be dropped silently and without a response, which means that anyone using this IP address will not be able to initiate a connection to your box, nor to transmit replies to requests sent by you.

As has been already suggested, you might want to have a look at one of the frontends for iptables (webmin is a web-based one, surely there are more lightweight solutions) if you want to have a lot of rules or do not feel motivated enough to learn the syntax.  :Smile: 

----------

## ignarus

doesn't this cause alot of overhead/danger for kernel packet routing ?? I had thought about doing this, but I'm afraid I'll crash my own system when addresses that'll be dropped get put in the input table over time

----------

## MrUlterior

 *ignarus wrote:*   

> doesn't this cause alot of overhead/danger for kernel packet routing ?? I had thought about doing this, but I'm afraid I'll crash my own system when addresses that'll be dropped get put in the input table over time

 

Lol, not unless we're talking about the TCP stack on your pocket calculator here ...

----------

