Weblog entry #1 for Grimnar
See all weblog entries made by Grimnar.
219.112.211.32 - - [09/Feb/2006:15:40:02 +0100] "GET / HTTP/1.1" 200 19845 "hxxp://search-and-more.biz"
Now, I have my own little script that denies the buggers from my websites, loads of rules like this:
#!/bin/sh
iptables -F
iptables -I INPUT -s 193.146.45.126 -j DROP
iptables -I INPUT -s 58.232.214.248 -j DROP
iptables -I INPUT -s 81.170.150.187 -j DROP
iptables -I INPUT -s 213.211.58.26 -j DROP
iptables -L
saved as filter.sh and works ok for my needs.
But here is my to little questions, is this really healthy for the server? Does loads of rules like this create hi load on the server? If it is, then disregard my final question.
Im sick and tired of adding new lines to the file using copy and paste and inserting iptables -I INPUT -j DROP to every line. Is there some way to create a web interface just to paste the IP and the script will auto insert the IP in the file? and maybe reload every hour using crontab. And maybe output the host that are banned under the "input" area.
Of course the script will be behind some security measures to deny everyone to add stuff to this file.
Andreas
Comments on this Entry
[ Send Message | View Steve's Scratchpad | View Weblogs ]
I have two scripts for this purpose:
- drop-web which adds a given IP address to the blacklist, if it isn't already there.
- /firewall which reads in a couple of lists and does the actual dropping
Here is the first one: drop-web
The second looks like this:
#!/bin/sh
#
# /firewall - Used to reset the systems firewall, then drop access to
# www/ssh via files read from the system.
#
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
#
# Drop some abusive clients from accessing our webserver
#
cat /drop-web.lst | while read ip ; do
# Strip comments, if any.
ip=$(echo $ip | sed "s/#.*//g")
# If non-blank
if [ "x$ip" != "x" ]; then
iptables -A INPUT -p tcp --source $ip --dport 80 -j DROP
fi
done
#
# Drop some abusive clients from accessing our SSH server
#
cat /drop-ssh.lst | while read ip ; do
# Strip comments, if any.
ip=$(echo $ip | sed "s/#.*//g")
# If non-blank
if [ "x$ip" != "x" ]; then
iptables -A INPUT -p tcp --source $ip --dport 22: -j DROP
fi
done
I've not noticed any significant slowdown despite having a few hundred dropped IP addresses..
[ Parent | Reply to this comment ]
ipset --create DropListName iphash
ipset -S > /path/stored-ipsets.save
Script
#!/bin/sh
iptables -F
#flush the ipset and restore them
ipset -F
ipset -R < /path/stored-ipsets.save
#skip anything that already has a connection(optionaly)
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#skip anythin in the drop list
iptables -A INPUT -m set --set DropListName src -j DROP
To Add an IP and then save it to the restore file
#!/bin/sh
#Allow multiple IPs
for IP; do
ipset -A DroplistName $IP;
done;
#Save the IPs
ipset -S > /path/stored-ipsets.save
You can have different sets for different groups of ips, just create more sets, and the rules to check them.
[ Parent | Reply to this comment ]
But I still dont see where the web interface comes in, or maybe im very ignorant here. You see, I was kinda looking for a script that takes a pasted input from a web site and inserts in a blacklist and sums the host up kinda under the input bar. I keep track on the ip using tail -f /var/log/apache/*.log and from there it would be very handy to just paste it in some place and just hit enter and wham, banned from my site. Easy.
My quest continues.
-Andreas.
[ Parent | Reply to this comment ]
[ Send Message | View redbeard's Scratchpad | View Weblogs ]
You might try aliasing Steve's drop-web to a single letter short cut (say 'x'), maybe with sudo wrapped around it with no password requirements. Then, you just type "x [space]" and paste your IP address. Press [Enter] and you're done. Might even be faster than a web page.
[ Parent | Reply to this comment ]
Yeah I will try to make it work for me, all though Im not very good with bash scripts, all the regex and special characters makes me very confused.
But the funny thing I noticed with the script is the "Check if the ip is already listed".
I find this very basic, if its already listed something is really broken. The firewall does not work at all then, huh?
But any pointers to help get startet would be appreciated.
-Andreas.
[ Parent | Reply to this comment ]
[ Send Message | View redbeard's Scratchpad | View Weblogs ]
Are you talking about the section labeled:
# # Add the entry - if it doesn't already exist. #
in the drop-web script? That section is to prevent accidentally adding duplicate addresses. You're right, it is pretty basic, but a good check to have.
I think, basically, the way Steve's stuff works is:
- Have /firewall run at start up.
- When you want to add an IP address to the blacklist, use drop-web ip-address.
I imagine Steve also has a corresponding drop-ssh script to add entries to the drop-ssh.lst file. It would be the same as drop-web, except the line
/bin/echo $1 >> /drop-web.lstwould be changed to
/bin/echo $1 >> /drop-ssh.lstOf course, you could write a web interface to replace the drop-web script. Since all it does is add an IP address at the end of the drop-web.lst file and then restart the firewall, it should be pretty easy in any web-savvy scripting language. Of course, you'd want to make sure you validate the IP address better.
[ Parent | Reply to this comment ]