How to block potential attackers on my server

Automated probes continuously check large parts of the internet trying to determine what your server is running, what software powers it and which versions.

Some of those probes are for valid research purposes and others are less benign and a precursor to attempts to exploit known vulnerabilities in the software.

When your server and software is kept up to date and patched that is more of a nuisance than a big security risk IMHO.

In general the tooling to detect such probes is an ”intrusion detection system” or IDS which is often coupled with an ”intrusion prevention system”.

Wikipedia list a bunch suitable tools in the IDS entry, a common choice in this scenario is fail2ban


When your development system is public and online rather than blocking specific "bad IP-addresses" the common approach is the opposite:

  • a blanket "deny all" on all IP-addresses
  • grant access to only the limited number to "known good IP-addresses" that currently need access.

Deepening on where your system is hosted that can be achieved with

  • an access policy enforced in an external firewall and/or with security groups
  • by access policies on the server itself:
    • a host based firewall
    • application specific access controls, either based on IP and/or other authentication, like in Apache: https://httpd.apache.org/docs/2.4/howto/access.html

Note that with the latter, when the application enforces the access control policy, usually those actions will still be logged and recorded in your applications log files.