If you are experiencing a problem with your webserver running slow or think you might have a dos attack on your hands, here is a trick i use to make sure i block any suspisious IP’s.

I use 2 packages on my Ubuntu server to have a look at what is going on.

Iftop easily obtained with

apt-get install iftop

Run it and have a look, it gives you the source ip and ports that are being accessed

 Press P to display ports  and N for DNS resolution

 Personally I prefer it off

 You can lookup any suspicious ip addresses  with ip-lookup.net/ 

Now you will have to look for any suspicious ip addresses that should not be accessing especially SSH and using high volumes of data especially any foreign servers accessing your port 25 (SMTP)

 Setup smtp authentication or block them off with a fire wall rule (see net section)

 If it does not originate from your country or any nabour countries  ones its a safe bet to block it, just ensure not to block the new technologies like the blackberry servers that originate from countries like the UK for  Africa.

 Next up is the all powerful IPTABLES

 Its installed by default on the server

 For a really nice extensive overview visit: https://help.ubuntu.com/community/IptablesHowTo

 Firstly  How to see if you have any rules on your firewall

 iptables –list

If the very first line reads 

 ACCEPT     all  –  anywhere             anywhere

  You will have to ensure to use the –I  option this writes the rule to the front of the list

 Iptables initializes rules from the top so ACCEPT all –anywhere will result in none of your rules below it working

 To stop a specific range:

iptables -I INPUT -p tcp -m iprange –src-range 180.0.0.0-180.255.255.255 -j DROP

 to block a specific ip use:

 iptables -I  INPUT -s 180.76.5.0  -j DROP

 and to drop a smtp connecter

 iptables -I  INPUT -s  196.215.3.214 -p smtp –dport 25  -j DROP