UPDATE: http://blog.schaal-24.de/?p=2683&lang=en
I use some blocklists from blocklist.de, to minimize potential attacks.
Every list contains one IP per line, so the lists can easily added to the firewall using xt_recent. I use a simple Bash-Script which runs daily via cron to compare my firewall with the lists.
Some definitions for the script:
BLOCKLIST
defines the single lists from blocklist.de.
OPT_RECENT
contains the recent-options. --update
means
I don’t want to see you for n seconds, but if I see you again during this time, I’ll block you again.
While --rcheck
only means
I’ll will block you for the n seconds.
OPT_CHAIN_PREFIX
is just the prefix for the jails.
MAX_IP
defines the maximum amount of IP-adressess stored by xt_recent. By default xt_recent stores only 100 IP-addresses.
If one or more of the rules is not already present, the script adds the rule to your firewall..
So that not every IP is blocked for all services, you can adjust the ports (--dports
).
See the script below – or simple download it.
# !/bin/bash
# Script to add banlists to the firewall
#
# Created: 02/17/2013
# Version: 1.0
# Author: Florian Schaal (info@schaal-24.de)
#
# Copyright (c) 2012 Florian Schaal (info@schaal-24.de.)
# All rights reserved.
#
# This script is free software
# you can redistribute it and/or modify it under
# the terms of the GNU General Public License.
# See http://www.fsf.org/licensing/licenses/gpl.html
#
# This script is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY;
# without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#binaries
IPTABLES=`which iptables`
WGET=`which wget`
# CONFIG
# lists from http://www.blocklist.de/en/export.html
BLOCKLIST="all ssh mail apache imap ftp sip bots strongips ircbot"
BLOCKLIST_URL="http://lists.blocklist.de/lists/"
# options for recent
OPT_RECENT="--update --seconds 86400 --hitcount 1"
OPT_CHAIN_PREFIX="block"
OPT_ACTION=" -j REJECT"
MAX_IP=10000
check_chain () {
$IPTABLES -C INPUT $1 2>/dev/null
if [ $? -ne 0 ]; then
echo "insert rule for chain in INPUT"
$IPTABLES -I INPUT $1
fi
}
check_chain_exists () {
if [ -z "`$IPTABLES -L block-$1 2>/dev/null|grep \Chain`" ]; then
echo create new chain: block-$1
$IPTABLES -N block-$1
fi
case "$1" in
all)
check_chain "-m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-all $OPT_ACTION"
;;
ssh)
check_chain "-m tcp -p tcp --dport 22 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
;;
mail)
check_chain "-m multiport -p tcp --dports 25,143,993,110,995 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
;;
apache)
check_chain "-m multiport -p tcp --dports 80,443 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
;;
imap)
check_chain "-m multiport -p tcp --dports 143,993,110,995 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
;;
ftp)
check_chain "-m tcp -p tcp --dport 21 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
;
sip)
check_chain "-m tcp -p tcp --dport 5060 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
;;
bots)
check_chain "-m multiport -p tcp --dports 194,994,529,5060 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
;;
strongips)
check_chain "-m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
;;
ircbot)
check_chain "-m multiport -p tcp --dports 194,994,529 $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
;;
*)
check_chain "$OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
;;
esac
}
get_blocklist () {
echo / > /proc/net/xt_recent/block-$1
$WGET -q -O - $BLOCKLIST_URL/$1.txt|while read ip; do
echo +$ip > /proc/net/xt_recent/$OPT_CHAIN_PREFIX-$1
done
}
chmod 600 /sys/module/xt_recent/parameters/ip_list_tot
echo $MAX_IP > /sys/module/xt_recent/parameters/ip_list_tot
chmod 400 /sys/module/xt_recent/parameters/ip_list_tot
for blocklist in $(echo $BLOCKLIST); do
echo "processing $blocklist"
check_chain_exists $blocklist
get_blocklist $blocklist
done
Hallo,
vielen Dank – einfaches und sehr nützliches Script und Listen.
noch kurz als Hinweis: Kann es sein, dass bei den letzten beiden Regeln das -m recent fehlt?
MfG
Sebastian
Hallo!
Danke dieser Artikel war für mich sehr hilfreich.
MfG