How to Locate and Block IP Addresses in WHM and via SSH
This article provides instructions on how to find and manage IP addresses that are making significant numbers of requests to your server using WHM and SSH, as well as how to block those IPs using the CSF (ConfigServer Security & Firewall) plugin in WHM or directly through the command line.
Finding IP Addresses
To locate IP addresses that are making the most connections to your server:
- Log into your WHM account using your root credentials.
- Search for 'Apache Status' in the search bar or navigate to 'Server Status' > 'Apache Status'.
- Examine the list of IP connections to see real-time access and resource utilization.
Note: 'Apache Status' provides a snapshot of active connections, allowing you to monitor traffic and understand which IPs are consuming server resources.
Blocking IP Addresses in WHM with CSF
To block IP addresses within WHM using the CSF plugin:
- Scroll down to the 'Plugins' section on the WHM home screen.
- Click on 'ConfigServer Security & Firewall'.
- In the 'csf - Quick Deny' section, enter the offending IP address and an optional comment for reference.
- Click 'Quick Deny' to block the IP address.
It’s important to provide a comment for documentation purposes, especially if multiple administrators access the firewall settings.
Blocking IP Addresses via SSH
You can also block IP addresses directly from the command line using SSH:
netstat -ntu | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nThis command sequence performs the following actions:
- netstat -ntu: Lists all network connections using TCP and UDP protocols.
- grep ESTABLISHED: Filters the list to show only established connections.
- awk '{print $5}': Extracts the fifth field, typically the foreign address (IP:port).
- cut -d: -f1: Removes the port number, leaving just the IP address.
- sort | uniq -c | sort -n: Sorts the IP addresses and counts unique occurrences, ordering them numerically.
After identifying the IP addresses, use the following command to block them:
csf -d IP_ADDRESS "Reason for the block"Replace IP_ADDRESS with the actual IP you intend to block, and include a reason for your records. Once done, apply the changes:
csf -rIf you have any further questions or require assistance with the process, feel free to contact support.
