### 1在防火墙封
cat /etc/sysconfig/iptables
##
# Firewall configuration written by system-config-firewall
2 # Manual customization of this file is not recommended.
3 *filter
4 :INPUT ACCEPT [0:0]
5 :FORWARD ACCEPT [0:0]
6 :OUTPUT ACCEPT [0:0]
7 #-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
8 -A INPUT -p tcp -m tcp --dport 8084 -j ACCEPT
9 -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
10 #-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
11 #-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
12 -A INPUT -s 117.135.144.51 -p TCP --dport 80 -j REJECT
13 -A INPUT -s 221.226.83.196 -p TCP --dport 80 -j REJECT
14 -A INPUT -s 183.21.229.224 -p TCP --dport 80 -j REJECT
15 #-A INPUT -s 211.157.135.2 -p TCP --dport 80 -j REJECT
16 -A INPUT -s 182.201.30.90 -p TCP --dport 80 -j REJECT
17 -A INPUT -s 58.135.84.45 -p TCP --dport 80 -j REJECT
18 -A INPUT -s 114.252.158.120 -p TCP --dport 80 -j REJECT
19 -A INPUT -s 124.127.182.6 -p TCP --dport 80 -j REJECT
20 -A INPUT -s 121.69.86.2 -p TCP --dport 80 -j REJECT
21 -A INPUT -s 221.226.83.196 -p TCP --dport 80 -j REJECT
22 -A INPUT -s 182.92.74.178 -p TCP --dport 80 -j REJECT
23 -A INPUT -s 111.126.72.42 -p TCP --dport 80 -j REJECT
24 -A INPUT -s 222.249.171.146 -p TCP --dport 80 -j REJECT
25 -A INPUT -s 113.9.245.3 -p TCP --dport 80 -j REJECT
26 -A INPUT -s 61.187.56.174 -p TCP --dport 80 -j REJECT
27 -A INPUT -s 183.129.217.146 -p TCP --dport 80 -j REJECT
28 -A INPUT -s 182.118.33.6 -p TCP --dport 80 -j REJECT
29 -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
30 -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
31 -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
32 -A INPUT -p udp -m udp --dport 161 -j ACCEPT
33 #-A INPUT -p icmp -j REJECT
34 -A INPUT -p tcp -m tcp --dport 11211 -j ACCEPT
35 -A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
36 -A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
37 -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
38 -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
39 -A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
40 -A INPUT -p tcp -m state --state NEW -m tcp --dport 20000:20500 -j ACCEPT
41 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
42 -A INPUT -p icmp -j ACCEPT
43 -A INPUT -i lo -j ACCEPT
44 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
45 -A INPUT -m state --state NEW -m tcp -p tcp --dport 4948 -j ACCEPT
46 -A INPUT -j REJECT --reject-with icmp-host-prohibited
47 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
48 COMMIT
要封ip 直接 复制一行 改ip就行了 然后重启 /etc/init.d/iptables restart
cat access.log |awk '{print $1}'| sort | uniq -c |sort -nr |less
### 2apache配置文件封ip,拒绝访问
<Directory "/var/www">
Options All
AllowOverride None
Order Deny,Allow
Deny From all
Allow From 192.168.0.0/24
Allow From 127.0.0.1
Allow From 59.37.x.x/28
</Directory>
上面这一段的意思是对/var/www目录下面的文件,只允许从192.168.0/24 和 127.0.1、59.37.x.x/28这几个IP段内的用户访问.
下面的这一段与上面的刚好相反,禁止从192.168.0 和 127.0.1这两个字段内的用户访问.
<Directory "/var/www">
Options All
AllowOverride None
Order Deny,Allow
Allow From all
Deny From 192.168.0
Deny From 127.0.0.1
</Directory>
这里可以用include把想要限制访问的ip或者想要允许的ip写在一个文件里,把它包含进来,这样方便修改,例如
<Directory "/var/www">
Options All
AllowOverride None
Order Deny,Allow
Deny From all
include conf/ip.conf
</Directory>
然后在ip.conf中增加想要allow的ip,比如:
Allow From 192.168.0.0/24
Allow From 127.0.0.1
Allow From 59.37.x.x/28
这样方便以后修改