This WordPress blog is decently protected from bots/hackers (read more at Securing this WordPress blog from evil hackers!) but I still get a ton of attempts on the site. Wordfence can block requests at the application layer but as I grow in traffic, I want to make sure CPU cycles aren’t wasted. Thus, I want to block some of these bots/hackers from even connecting to the server. I use Ubuntu, and UFW (Uncomplicated FireWall) is included. It’s pretty simple so I’ve stuck with it.
Blocking IPv4 is easy:
sudo ufw insert 1 deny from 22.214.171.124 comment "repeated unwanted hits on sdrforums.com"
The command broken down:
- sudo – run as root since firewall modification requires root access
- ufw – run the uncomplicated firewall program
- insert – add a rule
- 1 – insert at the top of the rule list (firewalls evaluate rules from the top down – putting a deny after an allow would mean the traffic wouldn’t be blocked)
- deny – deny the request
- from – from the following IP
- 126.96.36.199 – IP address
- comment – so you can leave a comment to remind yourself why the rule is in place (“unwanted hits on site.com”, “change request #123456”, “incident remedy #44444”, etc.)
Blocking IPv6 with UFW
So I tried the same command format with an IPv6 address and got an error message – “ERROR: Invalid position ‘1’”. I’ve never got that message before. Also, I do realize I need to widen this IPv6 subnet and block a much larger range of IPs but that’s a topic for a different day.
sudo ufw insert 1 deny from 2400:adc5:11f:5600:e468:9464:e881:b1c0 comment "repeated unwanted hits on sdrforums.com" ERROR: Invalid position '1'
My rule list at the time looked like this:
austin@rn-nyc-01:~$ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] Anywhere DENY IN 188.8.131.52 # repeated unwanted hits on sdrforums.com [ 2] Anywhere DENY IN 184.108.40.206 # repeated unwanted hits on sdrforums.com [ 3] Anywhere DENY IN 220.127.116.11 # excessive hits to wp-login and xmlrpc [ 4] 22/tcp ALLOW IN Anywhere [ 5] 80/tcp ALLOW IN Anywhere [ 6] 443/tcp ALLOW IN Anywhere [ 7] 22/tcp (v6) ALLOW IN Anywhere (v6) [ 8] 80/tcp (v6) ALLOW IN Anywhere (v6) [ 9] 443/tcp (v6) ALLOW IN Anywhere (v6)
Pretty easy to understand what’s going on here. I have a few IPv4 addresses blocked, but nothing specific to IPv6. A bit of searching later and I learned that the first IPv6 rule needs to come after the last IPv4 rule. So in this case I needed to add the rule to position #7, since that is where the first IPv6 rule current is located:
austin@rn-nyc-dotnet-01:~$ sudo ufw insert 7 deny from 2400:adc5:11f:5600:e468:9464:e881:b1c0 comment "repeated unwanted hits on sdrforums.com" Rule inserted (v6)
And it worked!
My UFW status is now this:
The post that started me in the right direction is here – https://joshtronic.com/2015/09/06/error-invalid-position-1/. Thank you Josh for posting about this! Stackoverflow wasn’t actually helpful for once.