Skip to main content

Using a Blocklist File With Iptables

I read an interesting piece about securing servers written by Greg Bledsoe in LinuxJournal. I thought I would try it out and it turns out that it needed a few massages to make it run on my Mageia5 system.

There are two parts to his approach, a short script that runs as rc.local, which file does not exist in Mageia, but will be properly run if you create it in /etc/rc.d/rc.local.

#!/bin/sh
#/etc/rc.d/rc.local
#REF: http://www.linuxjournal.com/content/server-hardening?page=0,2
#create iptables blocklist rule and ipset hash
/usr/sbin/ipset create blocklist hash:net
/usr/sbin/iptables -I INPUT 1 -m set --match-set blocklist 
↪src -j DROP

This file owner should be root with 700 permissions.

Once you create it, you should execute it manually because that needs to be done before you run the script to collect the blocklists.

I put the blocklist collection script in /usr/local/bin. You will need to create the directory /usr/local/bin/tmp because the script wants to keep its temporary files there.


#!/bin/bash
#/usr/local/bin/getblocklist
# REF: http://www.linuxjournal.com/content/server-hardening?page=0,2

PATH=$PATH:/sbin
WD=`pwd`
TMP_DIR=$WD/tmp
IP_TMP=$TMP_DIR/ip.temp
IP_BLOCKLIST=$WD/ip-blocklist.conf
IP_BLOCKLIST_TMP=$TMP_DIR/ip-blocklist.temp
list="chinese nigerian russian lacnic exploited-servers"
BLOCKLISTS=(
"http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project 
 ↪Honey Pot Directory of Dictionary Attacker IPs
"http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"  
 ↪# TOR Exit Nodes
"http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP 
 ↪Anonymous Proxies
"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" 
 ↪# BruteForceBlocker IP List
"http://rules.emergingthreats.net/blockrules/rbn-ips.txt" 
 ↪# Emerging Threats - Russian Business Networks List
"http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Dont Route 
 ↪Or Peer List (DROP)
"http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious 
 ↪IP List
"http://www.openbl.org/lists/base.txt"  # OpenBLOCK.org 30 day List
"http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List
"http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
)

cd  $TMP_DIR
# This gets the various lists
for i in "${BLOCKLISTS[@]}"
do
    curl "$i" > $IP_TMP
    grep -Po '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLOCKLIST_TMP
done
for i in `echo $list`; do
    # This section gets wizcrafts lists
    wget --quiet http://www.wizcrafts.net/$i-iptables-blocklist.html
    # Grep out all but ip blocks
    cat $i-iptables-blocklist.html | grep -v \< | grep -v \: | grep -v \; | grep -v \# | grep [0-9] > $i.txt
    # Consolidate blocks into master list
    cat $i.txt >> $IP_BLOCKLIST_TMP
done

sort $IP_BLOCKLIST_TMP -n | uniq > $IP_BLOCKLIST
rm $IP_BLOCKLIST_TMP
wc -l $IP_BLOCKLIST

ipset flush blocklist
egrep -v "^#|^$" $IP_BLOCKLIST | while IFS= read -r ip
do
        ipset add blocklist $ip
done

#cleanup
rm -fR $TMP_DIR/*

exit 0

This file owner should be root with 700 permissions.

Check your script and remove the " ↪" symbols, re-connecting the comments to the line above them.

Now manually execute the script. It should run and exit, creating the blockhost.conf file that the first script above will execute.

The final step is to add the second script in your crontab to run once a day.

All Done. Remember to read the entire article.

Comments

Popular posts from this blog

DOS4GW.EXE Version 2.01a and Alternative DOS Extenders

DOS4GW.EXE The Tenberry DOS extender DOS4GW.EXE was used by many early DOS games. I still enjoy playing many of these games and DOS4GW.EXE is usable with DOSBox , so they can be played on Linux. However, the version of DOS4GW.EXE that was included with the game was whatever was current at the time. The most recent version that includes many bugfixes that possibly affected the games when used with DOSBox have been fixed in the latest version, 2.01a. It's not free at US$49, but you can downloaded it here . Simply substitute it for whatever version of DOS4GW.EXE your game provided and enjoy the bug-fixed goodness. Tenberry also makes a "high-performance" "pro" version of DOS4GW.EXE, but it costs $300. I think that they could sell quite a few of these to hobby users (since, you know, DOS is dead) for US$5. Open Souce to the Rescue There are better performing, free and Open Source alternatives available and worth a look. DPMI Explained Let's unders...

Unpack those .EXE game files from GOG.com (Plus other un-packers)

I just came upon innoextract today. I have many of the wonderful games from GOG.com, some of which have native Linux Clients. Before now, I've had to use PlayOnLinux or Crossover to install these for use with WINE, then add the Linux client. InnoSetup as a way to create an installer to install the games on Windows.  Daniel Scharrer has created innoextract to allow the unpacking of those archives on a non-Windows platform. The website provides information on using innoextract , but this information from the page is very useful: GOG.com Installers GOG.com installers with a 2.x.x version number on the download page or in the filename use InnoSetup 5.5.0 and cannot be extracted by innoextract 1.2 and older. Older installers use InnoSetup 5.2.3 and usually have no version in the filename. Some GOG.com multi-part installers with version 2.1.x or higher use RAR archives (renamed to .bin) to store the game data. These files are not part of the InnoSetup installer and require...

Lighttpd and Simple Virtual Hosts Configuration.

I manage some websites for car clubs I belong to. They had been paying for web hosting and had some volunteers who knew not quite enough about maintaining and administrating the sites. Having some prior experience with similar small club sites, I volunteered to host them and admin them. With the first site, the pages were a train wreck of PHP and making even a small change on the existing pages caused the site to crash. Way back around the turn of the last century, I had a few Linux user’s groups that wanted a website, so I worked with Cynthia Manuel of Flamingo Internet Navigators to make a template for a web site that would be easy to maintain and easy to add static content. She developed templates that relied on Server Side Includes (SSI) and Cascading Style Sheets (CSS) to make administration and content additions simple and easy, so I ported all the content over to that template and hosted the site myself. Later, another car club needed the same assistance and I ported it ov...