This shows you the differences between two versions of the page.
blacklistcountrieswithshorewallandipset [2017/10/29 16:01] 127.0.0.1 external edit |
blacklistcountrieswithshorewallandipset [2020/02/13 22:55] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | |||
- | ====== Blacklist Countries with Shorewall and IPset ====== | ||
- | I run SSH on standard port 22 with fail2ban to prevent brute-force logins. | ||
- | |||
- | < | ||
- | ====== Geoblock blacklist ====== | ||
- | I use a dynamic ipset referenced by shorewall as a blacklist because I have no reason for IPs from certain countries to contact my server. | ||
- | |||
- | */ | ||
- | |||
- | < | ||
- | apt install ipset aggregate | ||
- | </ | ||
- | |||
- | < | ||
- | #!/bin/bash | ||
- | |||
- | #Debug | ||
- | # set -x | ||
- | |||
- | logger " | ||
- | |||
- | / | ||
- | # Most files on ipdeny.com are now zero length, I grab and parse from the RIR instead | ||
- | # for IP in $(/ | ||
- | for IP in $(/ | ||
- | |||
- | do | ||
- | / | ||
- | done | ||
- | |||
- | logger "End: $0" | ||
- | </ | ||
- | and I symlinked that script into / | ||
- | |||
- | < | ||
- | cd / | ||
- | ln -s / | ||
- | </ | ||
- | Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface. | ||
- | |||
- | < | ||
- | |||
- | < | ||
- | ############################################################################### | ||
- | # | ||
- | +geoblock | ||
- | </ | ||
- | < | ||
- | |||
- | < | ||
- | #ZONE | ||
- | net | ||
- | </ | ||
- | < | ||
- | :~# iptables-save | grep geoblock | ||
- | -A blacklst -m set --match-set geoblock src -j DROP | ||
- | </ | ||
- | You can use +geoblock in other places in your shorewall configuration to provide a more surgical block or allow (/ | ||
- | |||
- | ====== geoallow whitelist ====== | ||
- | Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server. | ||
- | |||
- | < | ||
- | |||
- | < | ||
- | Ping(ACCEPT) | ||
- | |||
- | ACCEPT | ||
- | </ | ||
- | < | ||
- | :~# iptables-save | grep geoallow | ||
- | -A net2fw -p tcp -m tcp --dport 22 -m set --match-set geoallow src -j ACCEPT | ||
- | </ | ||
- | ====== Startup at boot ====== | ||
- | It is important to create the ipset (even though its empty) on reboot, or shorewall won't start. | ||
- | |||
- | Add the create to **/ | ||
- | |||
- | < | ||
- | / | ||
- | </ | ||
- | |||
- | and add the script to **/ | ||
- | |||
- | < | ||
- | #!/bin/bash | ||
- | |||
- | / | ||
- | </ | ||