This is what I was thinking. I'm using CentOS 7. I believe it has
firewalld integrated. Admittedly, I know just enough to "get the job
done" and am not an expert in all the nuances of the tools. So I
sometimes don't understand which systems overlap or replace each
other, such as iptables, ipset, firewalld and various others. I've
been doing a bunch of research trying to figure out the best approach.
Obviously I've learned that Fail2Ban basically is an automated front
end for ipset/iptables. So it seems wise to use those same
facilities for an augmented blacklist.
Would you (and anybody else) be interested in sharing your scripts
and other info?
Anybody on Discord want to meet up and chat about it off the list?
Here's a utility I've found that I have not tested yet, that may also
be helpful:
https://github.com/prbinu/yipfilter Anybody try that?
One additional thing I've done with F2B is create an "aggravated IP
blacklist" that is triggered manually (or automatically from a
database/text file I set up based on observation/analysis) - I
basically created a new jail called "manban" (manual ban) that
excluded all major ports and had a very long expiration time of like
3 months. This works very well, but it doesn't combat the botnets
that share thousands of IP addresses.
I even wrote a nice perl script that parsed the auth log and
identified botnet attacks and creates a secondary log file for
automated blacklisting. The problem is, inside of 3 days I had over
4000 IP addresses in the F2B jail. I wasn't able to get near the end
of the botnets... I suspect they don't necessarily have that many
infected computers, as they are located on ISP space that may allow
them to re/allocate multiple IPs if they're available -- for that
reason I want to begin to mass-blacklist IP ranges.
Specifically, I'm looking for the proper command to block an ipset
list from a select list of ports (basically all the interactive ones
normally reserved for clients like ftp, ssh, imap, pop3, etc).
The only downside is whether to block ports 25/587? I need to be
able to occasionally tell if some legit mail gets blocked. That's
probably another level of protection to discuss separately?
One question I was wondering.. if you update IPs in IPSET, does it
automatically update the underlying iptables rule?
- Mike
At 02:13 PM 8/2/2019, Kenneth Porter wrote:
--On Friday, August 02, 2019 2:18 PM -0500 Mike <[email protected]> wrote:
I had been using a special ruleset I created in F2B, but those require
timeouts and seem to only work with single IPs, so I'm thinking I need to
create some scripts that will do this outside of F2B?
Use ipset to manage the list and iptables to insert the rule that
uses the list. I do this to block all non-US countries from my
authenticated services, at least for those identified by port number
(eg. submission, imap, ssh). (I can't do this for HTTP because
authentication uses the same port as legitimate non-authenticated visitors.)
If your distro uses firewalld, you can use its support for ipsets to
maintain your list in a simple XML format and create a "direct" rule
that drops members of that list. Otherwise, I think the latest ipset
package can load your sets at boot time and the iptables "service"
can install a rule.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
