ANS Documentation

Improve This Doc
  • Cloud
  • Domains and DNS management
  • Backup and High Availability
  • eCommerce Stacks
  • Security
    • DDoSX®
    • Web Application Firewall
    • Threat Monitoring and Threat Response
      • General Information and FAQs
      • How does it work?
      • System Requirements
      • Getting Started
      • Installing on a UKFast hosted server
      • Installing on a non-UKFast hosted server
      • PCI DSS Compliance
      • Alerts and rulesets
      • Attack Ruleset
      • High Level Alerts Explained
      • Alert Remediation Tips
      • Common Attacks
      • Databases
      • Exploits
      • File Monitoring (FIM)
      • Malware
      • Service Specific Alerts
      • System
      • Windows
      • Scans and Reconnaissance
    • McAfee Antivirus
    • Vulnerability Scans
    • ANS MDR
    • Keeping Magento secure
    • Keeping WordPress secure
    • Brute Force Attacks
    • CryptoLocker
    • Dirty COW
    • The Logjam attack
    • Meltdown and Spectre
    • Memcached security concerns and reflection/amplification DDoS attacks
    • Wana Decryptor / Wana Decrypt0r 2.0 / WannaCry
    • Log4J Vulnerability
    • Polkit Security Vulnerability CVE-2021-4034
    • CVE-2022-0847 - Dirty Pipe Vulnerability
  • Email
  • Monitoring and usage management
  • Networking
  • Operating systems
  • Webcelerator
  • MyUKFast
  • Home >
  • Security >
  • Threat Monitoring and Threat Response >
  • Alert Remediation Tips >
  • Checking if an IP has been blocked

Checking if an IP has been blocked¶

Threat Monitoring can detect incoming attacks in real-time and proactively block them, minimising the risk of compromise. This is achieved through the use of iptables and hosts.deny on Linux, and Windows firewall on Windows systems

Linux¶

If you need to check if an attacking Ip has been blocked, or of an IP address has been blocked unintentionally, you can use the below command on a Linux system to use check this with one of our scripts

wget https://git.thmon.ukfast.co.uk/threatmon-public/threat-monitoring-scripts/raw/master/check-block-status.sh && bash check-block-status.sh {IP TO CHECK}

If you’d like to automatically remove the IP from the block list, specify --remove-found when using the script, like below:

wget https://git.thmon.ukfast.co.uk/threatmon-public/threat-monitoring-scripts/raw/master/check-block-status.sh && bash check-block-status.sh {IP TO CHECK} --remove-found

Windows¶

To check if an Ip has been blocked in windows, follow the below steps.

Open up the windows firewall configuration utility. This can be found by searching for “Windows Firewall with Advanced Security”

Click “Inbound rules” on the left pane

You should now be able to see all the incoming firewall rules.

Look for any rules with the name “WAZUH ACTIVE RESPONSE BLOCKED IP”, check the ‘Remote Address’ column to see if the IP in question has been blocked.

If you’d like to remove an IP from the blocklist, you can right-click the rule that is enforcing the block, and click delete, confirming by pressing Yes.

Next Article > Page authentication and restrictions with htaccess

  • Useful Links
  • SMB
  • Enterprise
  • Channel
  • Public Sector
  • ANS Data Centres
  • About ANS
  • Careers
  • Blog
  • Get in touch
  •  
  • Sales 0800 458 4545
  • Support 0800 230 0032
  • Get in touch

© ANS Group Limited | Terms and Conditions | Corporate Guidance | Sitemap
ANS Group Limited, registered in England and Wales, company registration number 03176761, registered office 1 Archway, Birley Fields, Manchester M15 5QJ