Blocking abusive IP addresses using IPTABLES Firewall in Debian

In one of our previous article we have posted an instructional guide on how to secure your Debian/Ubuntu based VPS using IPTABLES/Netfilter.

In the following article we are adding a blacklist to the firewall script which will allow you to block any abusive IP addresses or ranges of IPs in your Debian or Ubuntu based virtual server.

What is iptables?

It is is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.

Before proceeding any further, make sure you read the article on how to secure/design the firewall in your linux vps. This includes:

Flushing the old firewall rules
Determining service ports
Setting-up default policies
Setting-up your firewall rules
Saving your firewall rules
BLOCKING IPs USING IPTABLES
To block some abusive IP address or range of IPs, you can use the following iptables rules:
## iptables -I INPUT -s 1.2.3.4 -j DROP
## iptables -I INPUT -s 1.2.0.0/16 -j DROP

CREATING THE BLACKLIST
For better readability and maintenance, it is a good idea to have all abusing IPs in one particular file, for example /etc/blacklist.ips. This way, you can add the IP addresses or subnets in this file (one IP or subnet per line) and use the fwall-rules script below to block anything listed in this file.

So, create or edit /usr/local/bin/fwall-rules and make it as follows:

#!/bin/bash
#
# iptables firewall script
# http://www.rosehosting.com
#

IPTABLES=/sbin/iptables
BLACKLIST=/etc/blacklist.ips

echo ” * flushing old rules”
${IPTABLES} –flush
${IPTABLES} –delete-chain
${IPTABLES} –table nat –flush
${IPTABLES} –table nat –delete-chain

echo ” * setting default policies”
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT

echo ” * allowing loopback devices”
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT

${IPTABLES} -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
${IPTABLES} -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

## BLOCK ABUSING IPs HERE ##
#echo ” * BLACKLIST”
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP

echo ” * allowing ssh on port 5622″
${IPTABLES} -A INPUT -p tcp –dport 5622 -m state –state NEW -j ACCEPT

echo ” * allowing ftp on port 21″
${IPTABLES} -A INPUT -p tcp –dport 21 -m state –state NEW -j ACCEPT

echo ” * allowing dns on port 53 udp”
${IPTABLES} -A INPUT -p udp -m udp –dport 53 -j ACCEPT

echo ” * allowing dns on port 53 tcp”
${IPTABLES} -A INPUT -p tcp -m tcp –dport 53 -j ACCEPT

echo ” * allowing http on port 80″
${IPTABLES} -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT

echo ” * allowing https on port 443″
${IPTABLES} -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT

echo ” * allowing smtp on port 25″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 25 -j ACCEPT

echo ” * allowing submission on port 587″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 587 -j ACCEPT

echo ” * allowing imaps on port 993″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 993 -j ACCEPT

echo ” * allowing pop3s on port 995″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 995 -j ACCEPT

echo ” * allowing imap on port 143″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 143 -j ACCEPT

echo ” * allowing pop3 on port 110″
${IPTABLES} -A INPUT -p tcp -m state –state NEW -m tcp –dport 110 -j ACCEPT

echo ” * allowing ping responses”
${IPTABLES} -A INPUT -p ICMP –icmp-type 8 -j ACCEPT

# DROP everything else and Log it
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP

#
# Block abusing IPs
# from ${BLACKLIST}
#
if [[ -f “${BLACKLIST}” ]] && [[ -s “${BLACKLIST}” ]]; then
echo ” * BLOCKING ABUSIVE IPs”
while read IP; do
${IPTABLES} -I INPUT -s “${IP}” -j DROP
done < <(cat “${BLACKLIST}”) fi # # Save settings # echo ” * SAVING RULES” if [[ -d /etc/network/if-pre-up.d ]]; then if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then echo -e “#!/bin/bash” > /etc/network/if-pre-up.d/iptables
echo -e “test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules” >> /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
fi
fi

iptables-save > /etc/fwall.rules
iptables-restore -c /etc/fwall.rules

make sure the script is executable by adding an ‘x’ bit to it:
chmod +x /usr/local/bin/fwall-rules
APPLYING THE RULES
To apply the firewall rules and block the abusers, you need to just execute the fwall-rules script and that’s it.

## fwall-rules
* flushing old rules
* setting default policies
* allowing loopback devices
* allowing ssh on port 5622
* allowing ftp on port 21
* allowing dns on port 53 udp
* allowing dns on port 53 tcp
* allowing http on port 80
* allowing https on port 443
* allowing smtp on port 25
* allowing submission on port 587
* allowing imaps on port 993
* allowing pop3s on port 995
* allowing imap on port 143
* allowing pop3 on port 110
* allowing ping responses
* BLOCKING ABUSIVE IPs
* SAVING RULES

[download id=”8″]

评论

发表评论

此博客中的热门博文

FreeBSD安装Pure-FTPd及user manager for PureFTPd

1、首先安装需要配置好apache2/mysql/php等服务!前面有过笔记。 2、安装pure-ftpd cd /usr/ports/ftp/pure-ftpd/ make with_language=simplified-chinese install clean;rehash 安装时,会有选择项;勾选: MYSQL Support for users in mysql database PRIVSEP Enable privileges separation PERUSERLIMITS Per-user concurrency limits THROTTLING Bandwidth throttling BANNER Show pure-ftpd welcome upon session start UTF8 Support for charset conversion (expreimental) 安装完成后 添加pureftpd_enable=”YES”到/etc/rc.conf文件中。 3、创建MySQL数据库,登陆mysql INSERT INTO mysql.user (Host, User, Password, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, ssl_cipher, x509_issuer, x509_subject) VALUES(‘localhost’,’ftp’,PASSWORD(‘tmppasswd’),’Y’,’Y’,’Y’,’Y’,’N’,’N’,’N’,’N’,’N’,’N’,’N...
阅读全文

debian lighttpd php ssl

图片
apt update && sudo apt upgrade   apt-get install lighttpd   安装完成后,启动并启用该服务。 systemctl start lighttpd systemctl enable lighttpd apt-get install php php-cgi php-fpm php-mysql  nano /etc/php/*/fpm/php.ini  进行以下更改: cgi.fix_pathinfo=1(可将参数改为0)  file_uploads = On  upload_max_filesize = 100M  allow_url_fopen = On  short_open_tag = On  memory_limit = 256M  max_execution_time = 360  date.timezone = Africa/Nairobi  一旦进行了所需的更改,您需要将 Lighttpd 配置为使用 PHP-FPM 而不是默认的 PHP-CGI  进行以下更改: nano /etc/php/7.4/fpm/pool.d/www.conf listen = /run/php/php-fpm.sock  改为  listen = 127.0.0.1:9000  systemctl restart php*-fpm.service    现在修改 Lighttpd 配置以使用 PHP-FPM。  sudo vim /etc/lighttpd/conf-available/15-fastcgi-php.conf 在打开的文件中, 进行以下更改: 将  "bin-path" => "/usr/bin/php-cgi",  "socket" => "/var/run/lighttpd/php.socket",  改为  "host" => "127.0.0.1",  "port" => "9000",...
阅读全文

解决nginx出现File not found的问题

使用php-fpm解析PHP,”No input file specified”,”File not found”是令nginx新手头疼的常见错误,原因是php-fpm进程找不到SCRIPT_FILENAME配置的要执行的.php文件,php-fpm返回给nginx的默认404错误提示。 比如我的网站doucument_root下没有test.php,访问这个文件时通过抓包可以看到返回的内容。   HTTP/1.1 404 Not Found Date: Fri, 21 Dec 2012 08:15:28 GMT Content-Type: text/html Proxy-Connection: close Server: nginx/1.2.5 X-Powered-By: PHP/5.4.7 Via: 1.1 c3300 (NetCache NetApp/6.0.7) Content-Length: 16   File not found.   很多人不想用户直接看到这个默认的404错误信息,想自定义404错误. 给出解决办法前我们来先分析下如何避免出现这类404错误,然后再说真的遇到这种情况(比如用户输入一个错误不存在的路径)时该怎么办,才能显示自定义的404错误页。 一、错误的路径被发送到php-fpm进程 出现这类错误,十个有九个是后端fastcgi进程收到错误路径(SCRIPT_FILENAME),而后端fastcgi收到错误路径的原因大都是配置错误。   常见的nginx.conf的配置如下: server { listen [::]:80; server_name example.com www.example.com; access_log /var/www/logs/example.com.access.log;   location / { root /var/www/example.com; index index.html index.htm index.pl; }   location /images { autoindex on; }   location ~ \.php$ { fastcgi_pass 127.0.0.1:...
阅读全文