If you have gone through your logs, you will most likely find a lot of login attempts on ssh port. And probably some on the apache service. If you identify these ip’s, here is how to block them from entering your system.
What we in reality will do is to drop all request from their ip’s. We will not even reply that they are blocked. A few reasons for this. First they will waste time, as their system will wait for a timeout to happen. Second they can’t see there is anything on your ip anymore. Another option is to Reject their request instead of dropping it. A reject will tell the connecting system that they are being rejected. They don’t have to wait for a timeout anymore, and they know your system is on that ip. A few reasons why I drop instead of reject.
After going through our logs we find that the IP: 220.127.116.11 needs to be blocked.
We issue following command as root or sudo:
iptables -I INPUT -s 18.104.22.168 -j DROP
The -I means Insert a rule (an Input rule in this case)
The -s is the source for what we want to block
The -j means Jump to target. (our target is DROP)
Now this ip can not longer access any port or service on your system. Then you discover you typed in wrong ip. You wanted to block 22.214.171.124 instead of the ip you just blocked. You will then need to remove the blocking. This can be done in a few different ways, but the cleanest way is to remove it from the iptable config. Here is how:
iptables -L INPUT -n –line-numbers | grep 126.96.36.199
This will return a line number in the very beginning of the output from this command. Lets pretend you have a lot of ip’s in your config, and the ip you want to remove blocking for is on line number 155. You then:
iptables -D INPUT 155
You can now go ahead and block the other ip you wanted to block instead of the first one. If you need to know how to save your iptable config, check this article.