I blocked an abusive IP from a CentOS server using iptables, dropping all connection attempts on all services / ports.
As is the way of things, the server with this IP may have been part of a botnet, and may have been cleaned in the time since I blocked it. I would like to find out if it's still trying to attack the server, so I can decide whether to unblock the IP… without unblocking it first.
I have tried searching through /var/log for anything that looks like iptables, grepped /var/log/secure for the offending IP, but have turned up nothing.
Is there a log of dropped connection attempts for iptables, or a way to configure the rule to log attempts but still drop them?
Best Answer
In addition to the other answers,
iptables -v -Llists the counts of packets and bytes that traverse a given rule, so you can see how much traffic you're dropping, and I wouldn't be too hard to write a tool that parses and reports that info.