Mr Zesty's BrainDump

User Tools

Site Tools

Trace:
blacklistcountrieswithshorewallandipset

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

blacklistcountrieswithshorewallandipset [2016/07/02 15:49]
ian [Startup at boot] 		blacklistcountrieswithshorewallandipset [2020/02/13 22:55]
Line 1: Line 1:
- 
-====== Blacklist Countries with Shorewall and IPset ====== 
-I run SSH on standard port 22 with fail2ban to prevent brute-force logins.  Despite this I am still annoyed by the frequency of fail2ban alerts for countries like China. 
- 
-<toc><ul><li><link topicref="2">Geoblock blacklist</link></li><li><link topicref="3">geoallow whitelist</link></li><li><link topicref="4">Startup at boot</link></li></ul></toc> 
-====== Geoblock blacklist ====== 
-I use a dynamic ipset referenced by shorewall as a blacklist because I have no reason for IPs from certain countries to contact my server. 
- 
-<strong>/usr/local/sbin/ipset-geoblock-country.sh</strong>: 
- 
-<code> 
-#!/bin/bash 
- 
-# set -x 
- 
-/usr/sbin/ipset -N geoblock nethash -exist 
-# Most files on ipdeny.com are now zero length, I grab and parse from the RIR instead 
-# for IP in $(/usr/bin/wget -O - http://www.ipdeny.com/ipblocks/data/countries/{cn,vn}.zone) 
-for IP in $(/usr/bin/wget -q -O - ftp://ftp.arin.net/pub/stats/apnic/delegated-apnic-latest | awk -F'|' 'BEGIN{OFS=&quot;&quot;} ( $2 == &quot;CN&quot; || $2 == &quot;VN&quot; ) &amp;&amp; $3 == &quot;ipv4&quot; {print $4,&quot;/&quot;,32-(log($5)/log(2))}' | aggregate) 
- 
-do 
-/usr/sbin/ipset -A geoblock $IP -exist 
-done 
-</code> 
-and I symlinked that script into /etc/cron.weekly to add IPs to this ipset (fast lookup) list 
- 
-<code> 
-cd /etc/cron.weekly 
-ln -s /usr/local/sbin/ipset-geoblock-country.sh . 
-</code> 
-Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface. 
- 
-<strong>/etc/shorewall/blacklist</strong>: 
- 
-<code> 
-############################################################################### 
-#ADDRESS/SUBNET         PROTOCOL        PORT    OPTIONS 
-+geoblock 
-</code> 
-<strong>/etc/shorewall/interfaces</strong>: 
- 
-<code> 
-#ZONE   INTERFACE       BROADCAST       OPTIONS 
-net     eth0            detect          tcpflags,nosmurfs,routefilter,logmartians,blacklist 
-</code> 
-<code> 
-:~# iptables-save | grep geoblock 
--A blacklst -m set --match-set geoblock src -j DROP 
-</code> 
-You can use +geoblock in other places in your shorewall configuration to provide a more surgical block or allow (/etc/shorewall/rules). 
- 
-====== geoallow whitelist ====== 
-Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server. 
- 
-<strong>/etc/shorewall/rules</strong>: 
- 
-<code> 
-Ping(ACCEPT)    all             all 
- 
-ACCEPT          net:+geoallow         $FW     tcp     ssh 
-</code> 
-<code> 
-:~# iptables-save | grep geoallow 
--A net2fw -p tcp -m tcp --dport 22 -m set --match-set geoallow src -j ACCEPT 
-</code> 
-====== Startup at boot ====== 
-It is important to create the ipset (even though its empty) on reboot, or shorewall won't start. 
- 
-Add the create to **/etc/defaults/shorewall** or anything that starts before shorewall: 
- 
-<code> 
-/usr/sbin/ipset -N geoblock nethash 
-</code> 
- 
-and add the script to **/etc/shorewall/started** or anything that runs after the network is up: 
- 
-<code> 
-#!/bin/bash 
- 
-/usr/local/sbin/ipset-geoblock-country.sh & 
-</code> 
  
blacklistcountrieswithshorewallandipset.txt ยท Last modified: 2020/02/13 22:55 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki
free spam filter