### 1在防火墙封
cat /etc/sysconfig/iptables
##
# Firewall configuration written by system-config-firewall
2 # Manual customization of this file is not recommended.
3 *filter
4 :INPUT ACCEPT [0:0]
5 :FORWARD ACCEPT [0:0]
6 :OUTPUT ACCEPT [0:0]
7 #-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
8 -A INPUT -p tcp -m tcp --dport 8084 -j ACCEPT
9 -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
28 -A INPUT -s 182.118.33.6 -p TCP --dport 80 -j REJECT
29 -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
30 -A INPUT -p tcp -m tcp --dport 873 -j ACCEPT
31 -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
32 -A INPUT -p udp -m udp --dport 161 -j ACCEPT
33 #-A INPUT -p icmp -j REJECT
34 -A INPUT -p tcp -m tcp --dport 11211 -j ACCEPT
35 -A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
36 -A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
37 -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
38 -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
39 -A INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
48 COMMIT
要封ip 直接 复制一行 -A INPUT -s 182.118.33.6 -p TCP --dport 80 -j REJECT 改ip就行了 然后重启 /etc/init.d/iptables restart
cat access.log |awk '{print $1}'| sort | uniq -c |sort -nr |less
### 2apache配置文件封ip,拒绝访问
<Directory "/var/www">
Options All
AllowOverride None
Order Deny,Allow
Deny From all
Allow From 192.168.0.0/24
Allow From 127.0.0.1
Allow From 59.37.x.x/28
</Directory>
上面这一段的意思是对/var/www目录下面的文件,只允许从192.168.0/24 和 127.0.1、59.37.x.x/28这几个IP段内的用户访问.
下面的这一段与上面的刚好相反,禁止从192.168.0 和 127.0.1这两个字段内的用户访问.
<Directory "/var/www">
Options All
AllowOverride None
Order Deny,Allow
Allow From all
Deny From 192.168.0
Deny From 127.0.0.1
</Directory>
这里可以用include把想要限制访问的ip或者想要允许的ip写在一个文件里,把它包含进来,这样方便修改,例如
<Directory "/var/www">
Options All
AllowOverride None
Order Deny,Allow
Deny From all
include conf/ip.conf
</Directory>
然后在ip.conf中增加想要allow的ip,比如:
Allow From 192.168.0.0/24
Allow From 127.0.0.1
Allow From 59.37.x.x/28
这样方便以后修改