So I'm taking a break from work, so I'll give you an example of what I
would do. I'm going to assume you're using Centos6 and you have shorewall
installed from EPEL.
## Install Ipsets
yum install ipsets
## Create you set
ipset create -exist DDOS hash:ip
## Configure Shorewall
# blrules
DROP net:+DDOS all
## Then in some other process foo.py (run this as a daemon or a cron or
something)
def get_list_of_new_ddos_ips():
# get your ips somehow
# return ip_list
pass
for ip in get_list_of_new_ddos_ips():
ipset add -exist DDOS ip
## Notes
1) You'll need to persist your ipset somehow, they get deleted at reboot.
There are many ways.
2) The foo.py is pseudo-code, don't use it as is.
3) You probably don't want shorewall to call a user script for each
connection. You could easily bog down your system.
On Wed, Feb 25, 2015 at 12:23 PM, johnny bowen <[email protected]> wrote:
> http://shorewall.net/ipsets.html
>
> On Wed, Feb 25, 2015 at 12:22 PM, johnny bowen <[email protected]> wrote:
>
>> You could use ipsets for this.
>>
>> #blrules
>> DROP net:+badpeople all
>>
>> #init
>> ipset destroy -quiet badpeople
>> ipset restore -exist < /etc/shorewall/ipsetlists/badpeople
>>
>>
>>
>>
>> On Tue, Feb 24, 2015 at 1:48 AM, Eduardo Diaz - Gmail <[email protected]
>> > wrote:
>>
>>> Hi to all I am fight with a DDOS based in smtp mail.
>>>
>>> I am using Debian 7.7 x86 and Shorewall-4.5.5.3
>>>
>>> I am getting errors to my domain trying to send mail every second or
>>> more.
>>>
>>> 2015-02-24 10:25:21 H=([58.187.161.220]) [58.187.161.220] sender verify
>>> fail for <[email protected]>: Unrouteable address
>>> 2015-02-24 10:25:21 H=([58.187.161.220]) [58.187.161.220] F=<
>>> [email protected]> rejected RCPT <[email protected]>:
>>> Sender verify failed
>>> 2015-02-24 10:25:21 unexpected disconnection while reading SMTP command
>>> from ([58.187.161.220]) [58.187.161.220] (error: Connection reset by peer)
>>>
>>>
>>> At the begining use fail2ban to ban the concurrent conexion but the bad
>>> people learn to not make the same conexion more than one. :-(
>>>
>>> All the ipaddres are listed in DNSbl and I can use a simple script to
>>> test if this conexion is listed in DNSBL (using a internal program to cache
>>> every ip).
>>>
>>> My intencion are:
>>>
>>> Every conexion that is made shorewall launch the script or the rule if
>>> is listed in DNSBL-Drop if not allow to connect to the mailserver.
>>>
>>> Shorewall has this funcionalty? because I search in the documentation
>>> and I don't find any similar only the blacklist funcionality.
>>>
>>> Regards and thanks for the responses.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Dive into the World of Parallel Programming The Go Parallel Website,
>>> sponsored
>>> by Intel and developed in partnership with Slashdot Media, is your hub
>>> for all
>>> things parallel software development, from weekly thought leadership
>>> blogs to
>>> news, videos, case studies, tutorials and more. Take a look and join the
>>> conversation now. http://goparallel.sourceforge.net/
>>> _______________________________________________
>>> Shorewall-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>>
>>>
>>
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
