I've been tailing my server's access log while working today, and have noticed one of my client's wordpress sites getting hammered with login attempts from an IP from out of the country.
I wanted to deny access from this IP address and tried the following ufw command:
sudo ufw deny from xx.xx.xx.xx to any
I see the rule has been added and the firewall is active, but I'm still seeing a ton of post's to the login page from that ip address.
I've also tried to use iptables, though I'm not very familiar with the tool:
sudo iptables -A INPUT -s xx.xx.xx.xx -j DROP
Have I gone about this wrong? I would think that after denying access to the ip address that it wouldn't show up in my apache access log with a 200 ok status for the post to the login page.
Edit:
As I mentioned, ufw is active and the rule is in place, here's the output of ufw status (with the ip blocked out):
root@mel:~# ufw status
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
80 ALLOW Anywhere
1723 ALLOW Anywhere
8080 ALLOW Anywhere
6273 ALLOW Anywhere
36728 DENY Anywhere
Anywhere DENY xx.xx.xx.xx
22 ALLOW Anywhere (v6)
80 ALLOW Anywhere (v6)
1723 ALLOW Anywhere (v6)
8080 ALLOW Anywhere (v6)
6273 ALLOW Anywhere (v6)
36728 DENY Anywhere (v6)
Best Answer
The order of the firewall rules are important. Since you have allowed port 80 for all at the beginning, this rule will match for all request and the deny rule that comes later will never be matched.
So, if you need to block something particluarly, put it at the beginning and then allow all.
To see your rules with a reference number, use this:
Then remove the deny rule first that you have added:
sudo ufw delete rule_number_hereThen add it again at the top:
For further Ref: https://help.ubuntu.com/community/UFW#Deny_Access
Please also note that, ufw is not the best tool to mitigate such attacks. Try to use fail2ban, that can do this dynamically.