I read an interesting piece about securing servers written by Greg Bledsoe in LinuxJournal. I thought I would try it out and it turns out that it needed a few massages to make it run on my Mageia5 system.
There are two parts to his approach, a short script that runs as rc.local, which file does not exist in Mageia, but will be properly run if you create it in /etc/rc.d/rc.local.
#!/bin/sh
#/etc/rc.d/rc.local
#REF: http://www.linuxjournal.com/content/server-hardening?page=0,2
#create iptables blocklist rule and ipset hash
/usr/sbin/ipset create blocklist hash:net
/usr/sbin/iptables -I INPUT 1 -m set --match-set blocklist
↪src -j DROP
There are two parts to his approach, a short script that runs as rc.local, which file does not exist in Mageia, but will be properly run if you create it in /etc/rc.d/rc.local.
#!/bin/sh
#/etc/rc.d/rc.local
#REF: http://www.linuxjournal.com/content/server-hardening?page=0,2
#create iptables blocklist rule and ipset hash
/usr/sbin/ipset create blocklist hash:net
/usr/sbin/iptables -I INPUT 1 -m set --match-set blocklist
↪src -j DROP
This file owner should be root with 700 permissions.
Once you create it, you should execute it manually because that needs to be done before you run the script to collect the blocklists.
I put the blocklist collection script in /usr/local/bin. You will need to create the directory /usr/local/bin/tmp because the script wants to keep its temporary files there.
#!/bin/bash
#/usr/local/bin/getblocklist
# REF: http://www.linuxjournal.com/content/server-hardening?page=0,2
PATH=$PATH:/sbin
WD=`pwd`
TMP_DIR=$WD/tmp
IP_TMP=$TMP_DIR/ip.temp
IP_BLOCKLIST=$WD/ip-blocklist.conf
IP_BLOCKLIST_TMP=$TMP_DIR/ip-blocklist.temp
list="chinese nigerian russian lacnic exploited-servers"
BLOCKLISTS=(
"http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project
↪Honey Pot Directory of Dictionary Attacker IPs
"http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"
↪# TOR Exit Nodes
"http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP
↪Anonymous Proxies
"http://danger.rulez.sk/projects/bruteforceblocker/blist.php"
↪# BruteForceBlocker IP List
"http://rules.emergingthreats.net/blockrules/rbn-ips.txt"
↪# Emerging Threats - Russian Business Networks List
"http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Dont Route
↪Or Peer List (DROP)
"http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious
↪IP List
"http://www.openbl.org/lists/base.txt" # OpenBLOCK.org 30 day List
"http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List
"http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
)
cd $TMP_DIR
# This gets the various lists
for i in "${BLOCKLISTS[@]}"
do
curl "$i" > $IP_TMP
grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLOCKLIST_TMP
done
for i in `echo $list`; do
# This section gets wizcrafts lists
wget --quiet http://www.wizcrafts.net/$i-iptables-blocklist.html
# Grep out all but ip blocks
cat $i-iptables-blocklist.html | grep -v \< | grep -v \: | grep -v \; | grep -v \# | grep [0-9] > $i.txt
# Consolidate blocks into master list
cat $i.txt >> $IP_BLOCKLIST_TMP
done
sort $IP_BLOCKLIST_TMP -n | uniq > $IP_BLOCKLIST
rm $IP_BLOCKLIST_TMP
wc -l $IP_BLOCKLIST
ipset flush blocklist
egrep -v "^#|^$" $IP_BLOCKLIST | while IFS= read -r ip
do
ipset add blocklist $ip
done
#cleanup
rm -fR $TMP_DIR/*
exit 0
This file owner should be root with 700 permissions.
Check your script and remove the " ↪" symbols, re-connecting the comments to the line above them.
Check your script and remove the " ↪" symbols, re-connecting the comments to the line above them.
Now manually execute the script. It should run and exit, creating the blockhost.conf file that the first script above will execute.
The final step is to add the second script in your crontab to run once a day.
All Done. Remember to read the entire article.
All Done. Remember to read the entire article.
REFERENCE: Server Hardening by Greg Bledsoe
Comments