Re: [CentOS] Netfilter fails to filter traffic from a netblock?
--On Sunday, April 19, 2020 10:30 AM -0400 Jeffrey Walton wrote: Ugh, thanks. I did not realize the changes were only temporary. What is the recommended way to permanently add a ban rule? service iptables save That runs the initscript that knows how to save the running firewall to /etc/sysconfig. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Netfilter fails to filter traffic from a netblock?
Insert the rule early in the chain. To determine where, I use this command: iptables -L INPUT -v -n --line-numbers You should put the new rule before rule 1, I think, so it takes effect before even the ESTABLISHED rule from the connection tracker. Use this: iptables -I INPUT 1 -s 59.64.128.0/19 -p TCP -j DROP If you think you'll build up a list of attackers, you can use an ipset, instead. I use firewalld for my own firewalls, which has integral support for saving and restoring ipsets. You can use a firewalld "direct" rule to insert an ipset-based ban before other rules in the INPUT chain. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Netfilter fails to filter traffic from a netblock?
Am 19.04.2020 um 14:58 schrieb Jeffrey Walton: The offending host is 59.64.129.175. To err on the side of caution we attempted to block the entire netblock. According to whois data, that's 59.64.128.0-59.64.159.255. iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP There was no comment so far that the order of the iptables rules matters. With your command you append to the existing rules. If would be without effect in case there is a rule in order before which permits the traffic you try to block. After reboot cpu usage is still high and access_log still shows useless requests from the host: 59.64.129.175 - - [19/Apr/2020:08:53:53 -0400] "GET /w/index.php?title=Special:WhatLinksHere&limit=50& printable=yes HTTP/1.1" 301 311 I seem to be missing something. That's not surprising since I am not a server administrator. How do I filter the unwanted traffic from the netblock? The iptables rules should be saved in /etc/sysconfig/iptables to be read in at boot time (or when the iptables services gets restarted). Alexander ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Netfilter fails to filter traffic from a netblock?
On Sun, Apr 19, 2020 at 8:58 AM Jeffrey Walton wrote: > > Hi Everyone, > > We rent a CentOS 7 VM from GoDaddy. We received a warning about > excessive cpu usage, and a threat to cancel our service. We tracked it > down to Apache and someone hammering our web server. > > The offending host is 59.64.129.175. To err on the side of caution we > attempted to block the entire netblock. According to whois data, > that's 59.64.128.0-59.64.159.255. > > iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP > > After reboot cpu usage is still high and access_log still shows > useless requests from the host: > > 59.64.129.175 - - [19/Apr/2020:08:53:53 -0400] "GET > /w/index.php?title=Special:WhatLinksHere&limit=50& > printable=yes HTTP/1.1" 301 311 > > I seem to be missing something. That's not surprising since I am not a > server administrator. > > How do I filter the unwanted traffic from the netblock? Thanks Mike and Mark. This is where I am at... I'm following https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/ because GoDaddy has not published any documents on this (other then use cPanel, which I don't have access to). The rule is persisted but it is being ignored. # iptables -L | grep policy Chain INPUT (policy ACCEPT) Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT) # iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP # /sbin/service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables: [OK] # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited DROP tcp -- 59.64.128.0/19 anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination We really need the server to honor this rule. How do we get CentOS to use this rule? Jeff ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Netfilter fails to filter traffic from a netblock?
On Sun, Apr 19, 2020 at 9:45 AM Anand Buddhdev wrote: > > Personally though, I find firewalld to be cumbersome, so I remove it > completely, and installed instead "iptables-services". > Ya, i agonized over accepting firewalld. I'm a smalltime manager who wears many hats and doesn't have alot of time to practice sysadmin skills. It took me about 5 years to get confident with iptables and go from fresh install to company firewall in one sitting. Now that I've adopted firewalld which has a wider variety of command/rule statements, I am constantly hitting "man firewall-cmd" and cannot competently recall iptables in any comprehensible way; it's like mixing Japanese and English whenever I try to communicate with a centos box firewall, heh. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Netfilter fails to filter traffic from a netblock?
The way I start the firewall is as follows: systemctl enable firewalld systemctl start firewalld systemctl status firewalld Regards, Mark Woolfson MW Consultancy Ltd Leeds LS18 4LY United Kingdom Tel: +44 113 259 1204 Mob: +44 786 065 2778 -Original Message- From: Jeffrey Walton Sent: Sunday, April 19, 2020 2:44 PM To: CentOS mailing list Subject: Re: [CentOS] Netfilter fails to filter traffic from a netblock? On Sun, Apr 19, 2020 at 9:40 AM Mike <1100...@gmail.com> wrote: Thought it might also be helpful to confirm that firewalld is not interfering in any way. what is the output of ~$# systemctl status firewalld Thanks Mike. # systemctl status firewalld Unit firewalld.service could not be found. Jeff ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Netfilter fails to filter traffic from a netblock?
On 19/04/2020 15:30, Jeffrey Walton wrote: > Ugh, thanks. I did not realize the changes were only temporary. > > What is the recommended way to permanently add a ban rule? On CentOS 7, the default firewall is "firewalld", and you can configure it with "firewall-cmd". You can use it to add temporary or permanent rules. You can read the man page of that to learn how to view, add, modify or delete rules. Personally though, I find firewalld to be cumbersome, so I remove it completely, and installed instead "iptables-services". yum erase firewalld yum install iptables-services Then, after adding your iptables rule(s), run: iptables-save > /etc/sysconfig/iptables ip6tables-save > /etc/sysconfig/ip6tables They'll be applied at boot. Regards, Anand ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Netfilter fails to filter traffic from a netblock?
On Sun, Apr 19, 2020 at 9:40 AM Mike <1100...@gmail.com> wrote: > > Thought it might also be helpful to confirm that firewalld is not > interfering in any way. > > what is the output of ~$# systemctl status firewalld Thanks Mike. # systemctl status firewalld Unit firewalld.service could not be found. Jeff ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Netfilter fails to filter traffic from a netblock?
Thought it might also be helpful to confirm that firewalld is not interfering in any way. what is the output of ~$# systemctl status firewalld On Sun, Apr 19, 2020 at 9:30 AM Jeffrey Walton wrote: > > On Sun, Apr 19, 2020 at 9:26 AM Anand Buddhdev wrote: > > > > On 19/04/2020 14:58, Jeffrey Walton wrote: > > > > Hi Jeffrey, > > > > > The offending host is 59.64.129.175. To err on the side of caution we > > > attempted to block the entire netblock. According to whois data, > > > that's 59.64.128.0-59.64.159.255. > > > > > > iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP > > > > > > After reboot cpu usage is still high and access_log still shows > > > useless requests from the host: > > > > Did you actually arrange for your iptables rule to be reinstated at boot? > > > > If you just configure a rule as above, but don't save it, it will > > disappear ar reboot. > > Ugh, thanks. I did not realize the changes were only temporary. > > What is the recommended way to permanently add a ban rule? > > Thanks again. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Netfilter fails to filter traffic from a netblock?
On Sun, Apr 19, 2020 at 9:26 AM Anand Buddhdev wrote: > > On 19/04/2020 14:58, Jeffrey Walton wrote: > > Hi Jeffrey, > > > The offending host is 59.64.129.175. To err on the side of caution we > > attempted to block the entire netblock. According to whois data, > > that's 59.64.128.0-59.64.159.255. > > > > iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP > > > > After reboot cpu usage is still high and access_log still shows > > useless requests from the host: > > Did you actually arrange for your iptables rule to be reinstated at boot? > > If you just configure a rule as above, but don't save it, it will > disappear ar reboot. Ugh, thanks. I did not realize the changes were only temporary. What is the recommended way to permanently add a ban rule? Thanks again. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Netfilter fails to filter traffic from a netblock?
On 19/04/2020 14:58, Jeffrey Walton wrote: Hi Jeffrey, > The offending host is 59.64.129.175. To err on the side of caution we > attempted to block the entire netblock. According to whois data, > that's 59.64.128.0-59.64.159.255. > > iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP > > After reboot cpu usage is still high and access_log still shows > useless requests from the host: Did you actually arrange for your iptables rule to be reinstated at boot? If you just configure a rule as above, but don't save it, it will disappear ar reboot. Regards, Anand ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos