In the world of systems administration, having the commands to add or remove a blackhole / nullroute a host or problematic IP address can be very useful. So in this simple, yet useful tutorial, we’ll cover how to exactly go about doing this on nearly any type of Linux OS!
How to add a blackhole nullroute:
For this example, let’s assume that we are receiving unwanted SSH login attempts from 192.168.0.195 .
root@server:~# netstat -na | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.197:22 192.168.0.195:57776 ESTABLISHED
To add the blackhole for 192.168.0.195:
root@server:~# ip route add blackhole 192.168.0.195/32
To verify the route is in place will will use “ip route show “:
root@server:~# ip route show
default via 192.168.0.1 dev eth0 metric 100
blackhole 192.168.0.195
Subsequently, connections to and from that IP will fail:
root@attacker:~$ ssh 192.168.0.2
ssh: connect to host 192.168.0.2 port 22: No route to host
Removing a blackhole:
Typically, blackholes are useful when your server is under attack. After the attack has subsided, or you wish to remove the blackhole you can do so as follows:
root@server:~# ip route del 192.168.0.195
root@server:~# ip route show
default via 192.168.0.1 dev eth0 metric 100
Related Posts:
Dropbear in 2025: Still the LowEnd SSH Server of Choice?
Have You Missed Any of these LowEndBoxTV Videos?
LowEndBoxTV: Ubuntu 24: Hot Rod Ferrari Speed Freak, Crippled Dump Truck, or Somewhere in Between?
LowEndBoxTV: Free Power Toys for Your Linux Server!
The Mother of All Supply Chain Attacks! Is 1Password Safe?!? (UPDATED)
Examining the Top 12 Server Operating Systems of 2024: Choose the Best One for Your Needs
At LowEndBox, our News and Editorial Team is dedicated to delivering timely, accurate, and actionable content tailored to the needs of developers, hosting enthusiasts, and infrastructure professionals. We curate, report, and analyze the latest developments in the world of hosting, cloud infrastructure, data centers, open-source platforms, and internet services, always with a focus on value, performance, and accessibility.
Our team monitors the global hosting landscape to bring you breaking news, vendor updates, platform changes, market trends, and expert insights. Whether it’s a price hike from a major control panel, a breakthrough in virtualization technology, or a new indie provider shaking up the market, we strive to deliver content that empowers the LowEnd community to stay informed and ahead of the curve.
We also collaborate closely with the vibrant LowEndTalk community to surface meaningful discussions, highlight real-world deployments, and share voices from within the ecosystem.
Our mission is simple: to help you make smarter infrastructure decisions by delivering the stories that matter, clearly, consistently, and without hype.
Stay tuned for fresh editorial content, in-depth analyses, and community-powered features from the team that keeps LowEndBox running.
Why not just use fail2ban?
@Jacob: Why not just write us a tutorial on using fail2ban to block ALL network traffic to a server.
Thank you for the article. Very helpful.
Can I upload like 50,000 CIDR ranges from a file to be routed to blackhole instead of using FireWall IPTABLES?
If so, what would be SSH CLI to do so, given I upload a file.txt to the directory, and that files lists CIDR type IP ranges one below the other (no comma?) and when single IP get /32 notation: X.X.X.X/32
What would be a command to dump all?
To run again on a revised file?
Can this tecnhique be used to block an ISP using it’s source code, as AS4444?
What are it’s record limit, if any?
What resources does it use uloading to server memory?