At 2/7/2014 05:31 PM, Don wrote:
>Hello,
>
>Is there a way to be proactive and block questionable IP addresses before they
>attempt to communicate with my router?
I have done this using ipsets and a script that downloads various blocklists,
however, if my shorewall router and system are set up properly, it probably is
not necessary. The "crunchy on the outside, soft on the inside" model is only
so effective. Today I'm more concerned about detecting malware from internal
user systems.
Here is how I created several blacklist ipsets from sources, depending on what
they are - hash:net or hash:ip, and then use a set of ipsets - list:set and use
that list set in a blocking rule in shorewall.
A download script pulls block lists and converts them into the various types of
ipset rules, dshield being a hash:net, zeus being hash:ip, etc. It generates
something like this:
ipset -exist create blset list:set
ipset flush blset
ipset -exist create dshield hash:net
ipset flush dshield
ipset -exist create zeus hash:ip
ipset flush zeus
...
<add ipset rules for each type>
ipset add dshield 117.41.237.0/24
...
ipset add zeus 103.241.0.100
...
# combine into blacklist set
ipset add blset dshield
ipset add blset zeus
...
The script to generate the above can run via cron, and then run the generated
file:
echo "Generating ipset '$IPSET' in file '$IPSET_FILE'"
# start file
echo "# Blacklist ipset $IPSET" > $IPSET_FILE
chmod +x $IPSET_FILE
# append to file
echo "ipset -exist create $IPSET list:set" >> $IPSET_FILE
echo "ipset flush $IPSET" >> $IPSET_FILE
echo "ipset -exist create dshield hash:net" >> $IPSET_FILE
echo "ipset flush dshield" >> $IPSET_FILE
echo "ipset -exist create zeus hash:ip" >> $IPSET_FILE
echo "ipset flush zeus" >> $IPSET_FILE
...
# dshield
echo "Getting dshield.org block list for $IPSET_FILE"
echo "# http://feeds.dshield.org/block.txt"; >> $IPSET_FILE
wget -q -O - http://feeds.dshield.org/block.txt |\
awk '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print "ipset add dshield "
$1 "/" $3;}' >> $IPSET_FILE
# zeus
echo "Getting zeustracker.abuse.ch block list"
echo "# zeustracker.abuse.ch" >> $IPSET_FILE
wget -q -O - http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist
> zeus.txt
awk '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ { print "ipset add zeus
" $1;}' zeus.txt >> $IPSET_FILE
#echo "Getting spamhouse.org drop list and edrop list"
...
# custom
if [ -e "custom_blacklist" ]; then
echo "add custom ipset files"
cat custom_blacklist >> $IPSET_FILE
fi
echo "ipset add $IPSET dshield" >> $IPSET_FILE
echo "ipset add $IPSET zeus" >> $IPSET_FILE
echo "ipset add $IPSET custom" >> $IPSET_FILE
echo "ipset $IPSET_FILE generated"
In shorewall rules:
# Drop blacklist ipset
DROP:NFLOG(4,0,1) net:+blset all
DROP:NFLOG(4,0,1) all net:+blset
I have a separate log file for black list, hence the NFLOG group 4.
You can create any number of ipsets and dynamically add or remove ip addresses,
or flush individual sets. Note that the ipset has to exist before shorewall
runs for the first time. You can use the save/restore feature in shorewall, or
to be safe I have a create ipset in my netctl if-up.d.
WayneS
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
