LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Blogs > unSpawn
User Name
Password

Notices

Rate this Entry

Blocking lists of IP addresses using the iptables recent module or ipset and make fail2ban use it.

Posted 04-21-2013 at 08:25 AM by unSpawn
Updated 04-21-2013 at 09:34 AM by unSpawn (//Suggest saving the current rule set)

To combat the common misconception that filling Netfilters filter table INPUT chain is still a valid choice, to show ease of use and for future reference I'll outline how to mass block IP(v4) addresses and how to integrate this in fail2ban.

*This web log post will not explain the fine print on ipset and iptables' {ipt,xt}_recent ('iptables -m recent --help'), nor will it tell you how to install anything, help you configure fail2ban, go into SysV vs BSD init scripts or application layer versus network layer blocking or help you determine if your (virtual) machine can run ipset. That you have to invest time in yourself. Searching LQ will help of course, it's all been dealt with before.

** One difference I should point out is the Netfilter recent module doesn't allow for blocking IP ranges like ipset can so choose wisely.


First ipset.
Code:
# Create a set. This type will hold IP addresses as well as ranges:
ipset -N BOGON hash:net family inet

# Let's populate this with the one source (please don't hit them more than once a day):
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout | while read RANGE; do
 ipset add BOGON $RANGE
done

# Save the set so it survives a reboot:
ipset -S BOGON > /etc/sysconfig/ipset.BOGON

# Check the set so you know what it will block (for example in a 192.168. LAN you'll want to edit that 'net out).
ipset -L BOGON

# After verifying add these two iptables rules (check chain first for rule order vs insert or add).
# Change your device name if necessary:
iptables -t raw -A PREROUTING -i eth0 -m set --match-set BOGON src -j NOTRACK
iptables -t raw -A PREROUTING -i eth0 -m set --match-set BOGON src -j DROP
# *Do save your rule set ;-p

# Now make fail2ban use it. I'm asserting you filter for SSH logins using iptables.
# The ban command:
fail2ban-client set ssh-iptables actionban iptables "/usr/sbin/ipset add BLOCK <ip>"
# The unban command:
fail2ban-client set ssh-iptables actionban iptables "/usr/sbin/ipset del BLOCK <ip>"
# *Well spotted: you'll have to (un)set the actionstart, actionstop and actioncheck
# commands yourself and modify /etc/fail2ban/action.d/iptables. 

# Finally add this to your (SysV) startup script (if /etc/rc.d/rc.local add above the "touch" line):
# Load ipset
find /etc/sysconfig -maxdepth 1 -type f -iname ipset.\* | while read SET; do
   /usr/sbin/ipset restore < $SET
done

# Done.

Now the iptables "recent" module.
*Note you shouldn't do this if you already got /etc/fail2ban/action.d/iptables-xt_recent-echo.conf
**Note also with older kernel versions module, file and location-wise the name is "ipt_recent" and not "xt_recent" so change below if necessary.
Code:
# Create, populate (again, please don't hit them more than once a day), save and check the set as shown as above
# except it doesn't do ranges so for this example we'll modify like this to get them:
wget -q http://www.cymru.com/Documents/bogon-bn-nonagg.txt -O /dev/stdout\
|awk -F'/' '{print $1}'|tr '0' '3'|while read ITEM; do
 echo "+${ITEM}" > /proc/net/xt_recent/BLOCK
done

# After verifying add these two iptables rules (check chain first for rule order vs insert or add):
iptables -t raw -A PREROUTING -i eth0 -m recent --update --hitcount 1 --name BLOCK --rsource -j NOTRACK
iptables -t raw -A PREROUTING -i eth0 -m recent --update --hitcount 1 --name BLOCK --rsource -j DROP
# *Do save your rule set ;-p

# Make fail2ban use it, again asserting you filter for SSH logins using iptables.
# The ban command:
fail2ban-client set ssh-iptables actionban iptables "/bin/echo +<ip> > /proc/net/xt_recent/BLOCK"
# The unban command:
fail2ban-client set ssh-iptables actionban iptables "/bin/echo -<ip> > /proc/net/xt_recent/BLOCK"

# Add this to your (SysV) startup script (if /etc/rc.d/rc.local add above the "touch" line):
# Load recent
find /etc/sysconfig -maxdepth 1 -type f -iname /xt_recent.\* | while read RECENT; do
 LIST=${RECENT//*./}; cat $RECENT | while read ITEM; do
echo "+${ITEM}" > /proc/net/xt_recent/$LIST; done; done

# This command should be issued on shutdown or regularly using a cron job:
awk '{print substr($1,5)}' /proc/net/xt_recent/BLOCK > /etc/sysconfig/xt_recent.BLOCK

# Done.
Any questions should be asked in the relevant LQ forum.
Posted in Uncategorized
Views 2347 Comments 0
« Prev     Main     Next »

  



All times are GMT -5. The time now is 11:10 PM.

Main Menu
Advertisement

Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration