I thought I had the idea of how to add an IP to be dropped like iptables but after some further reading, I am not sure.
I add IPs to iptables that I find are trying to hack into or abuse the system by using a script to examine log files and compile a list of IPs and add them to iptables. Of course that requires a restart of iptables for the new rules to take effect.
I thought I could add the IPs to the DROP zone as sources. That apparently is not what I should do. That leaves me with what I should do and can it be done.
I have over 8000 host IPs that I drop using:
-A INPUT -s 222.221.2.210 -j DROP -A INPUT -s 222.221.12.13 -j DROP -A INPUT -s 222.221.12.104 -j DROP -A INPUT -s 222.221.88.88 -j DROP
How do I drop connections to hosts that have abused the privilege of connecting to a service?
I was using
for i in `grep DROP iptables | awk '{print $4}' | sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4` do firewall-cmd --permanent --zone=drop --add-source=${i}/32 done
That is extremely slow by the way since two files are written for each add. Took a long time to add 8000+ records. It would be nice to have a batch mode to do multiple inserts.
The public zone is still default. The network interface is in zone home and my VPN connection is in zone work.
Any guidance is greatly appreciated.
John
On 08/21/2013 11:07 PM, John Griffiths wrote:
I thought I had the idea of how to add an IP to be dropped like iptables but after some further reading, I am not sure.
I add IPs to iptables that I find are trying to hack into or abuse the system by using a script to examine log files and compile a list of IPs and add them to iptables. Of course that requires a restart of iptables for the new rules to take effect.
I thought I could add the IPs to the DROP zone as sources. That apparently is not what I should do. That leaves me with what I should do and can it be done.
You can bind IP addresses to the drop zone. But with lots of IP addresses this will result in performance hit.
Therefore I would propose to use an ipset for this.
Create an ipset and add all ip addresses in it. Then add a permanent direct rule to the firewall to DROP these. The performance hit should be much lower (I have not tested it with that many entries, though).
Here are some steps to get this working for you. Please modify as needed.
1) Create droplist shell script in /usr/local/bin and add IP addresses to the droplist ipset:
cat > /usr/local/bin/droplist.sh <<EOF #!/bin/bash
case "$1" in start) echo "Create droplist" /sbin/ipset create droplist hash:ip hashsize 4096 RETVAL=$?
# Add IP addresses here (see examples below)... ################################################ /sbin/ipset add droplist 192.168.0.5 /sbin/ipset add droplist 192.168.0.6 ################################################ ;; stop) echo "Destroy droplist" /sbin/ipset destroy droplist RETVAL=$? ;; esac
exit $RETVAL EOF
chmod ug+rx /usr/local/bin/droplist.sh
2) Create the service to create the droplist before firewalld starts:
cat > /etc/systemd/system/droplist.service <<EOF [Unit] Description=Droplist Before=firewalld.service
[Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/bin/droplist.sh start ExecStop=/usr/local/bin/droplist.sh stop
[Install] WantedBy=basic.target EOF
3) Use the droplist permanently in firewalld. A firewalld reload is needed to activate it (firewall-cmd --reload):
cat > /etc/firewalld/direct.xml <<EOF <?xml version="1.0" encoding="utf-8"?> <direct> <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set --match-set droplist src -j DROP</rule> </direct> EOF
Please remember that you can not destroy a set that is in use by the firewall. Also if a set is needed in a rule, the set has to be created before the rule can be added to the firewall. But you can add entries to and remove entries from the set while it is in use already. It is not possible to mix IPv4 and IPv6 addresses in a set. Use one set for IPv4 and another one for IPv6 instead. Please have a look at the ipset man page. If you are also using network address, please use hash:net.
As firewalld is not able to handle ipsets itself, you have to make sure that the ipset you want to use in the firewall is created before firewalld starts, otherwise adding the rule using the set will fail. ipset does not provide an init or systemd service atm.
You can add permanent direct rules with firewalld version 0.3.4 with the direct.xml file in /etc/firewalld. The D-Bus interface for permanent direct rules is in the GIT repo since some days now and the command line support and UI stuff will be there soon.
BTW: The addition of address sets is on my the TODO list for rich language, but this will most likely take some time.
I have over 8000 host IPs that I drop using:
-A INPUT -s 222.221.2.210 -j DROP -A INPUT -s 222.221.12.13 -j DROP -A INPUT -s 222.221.12.104 -j DROP -A INPUT -s 222.221.88.88 -j DROP
How do I drop connections to hosts that have abused the privilege of connecting to a service?
I was using
for i in `grep DROP iptables | awk '{print $4}' | sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4` do firewall-cmd --permanent --zone=drop --add-source=${i}/32 done
That is extremely slow by the way since two files are written for each add. Took a long time to add 8000+ records. It would be nice to have a batch mode to do multiple inserts.
The public zone is still default. The network interface is in zone home and my VPN connection is in zone work.
Any guidance is greatly appreciated.
John
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards, Thomas
Thomas,
Thank you.
IPSETS are new to me to as well.
iptables was fairly straight forward.
I know that Fedora is a somewhat bleeding edge distribution, but it seems sometimes things are changed just for the sake of change. I am a great believer in "if it isn't broken, don't fix it." Oh well, it is what it is. And I am greatful to all who do the hard work in the Fedora community. I contribute as I can.
Just to clarify, I could add IPs to the drop zone with my network interface in the home or work or some other zone and the drop zone would be checked first and any sources found in the drop zone would be disconnected before hitting the other zones. That is, if ssh is enabled in home and a host in the drop zone tried to connect using ssh, the host would not be able to connect. Is that correct?
Also another bit of clarification, you state that the ipset can be modified while in use by firewalld. Do I understand correctly that if I create an ipset and add a rule to firewalld to drop the IPs in the ipset and I add an IP or delete and IP from the ipset while firewalld is using it, firewalld will start or stop dropping the IP without having to reload firewalld?
Sorry if I am being a bit in need of hand holding, but we are talking about the security of a server. Right now I am working on the inactive server, but I want to have a better understanding before I use firewalld on a live server.
A suggestion would to make note of all the noob questions like mine and add or change the documentation to make the points more clear.
Thanks, John
On 08/22/2013 02:50 PM, Thomas Woerner wrote:
On 08/21/2013 11:07 PM, John Griffiths wrote:
I thought I had the idea of how to add an IP to be dropped like iptables but after some further reading, I am not sure.
I add IPs to iptables that I find are trying to hack into or abuse the system by using a script to examine log files and compile a list of IPs and add them to iptables. Of course that requires a restart of iptables for the new rules to take effect.
I thought I could add the IPs to the DROP zone as sources. That apparently is not what I should do. That leaves me with what I should do and can it be done.
You can bind IP addresses to the drop zone. But with lots of IP addresses this will result in performance hit.
Therefore I would propose to use an ipset for this.
Create an ipset and add all ip addresses in it. Then add a permanent direct rule to the firewall to DROP these. The performance hit should be much lower (I have not tested it with that many entries, though).
Here are some steps to get this working for you. Please modify as needed.
- Create droplist shell script in /usr/local/bin and add IP addresses
to the droplist ipset:
cat > /usr/local/bin/droplist.sh <<EOF #!/bin/bash
case "$1" in start) echo "Create droplist" /sbin/ipset create droplist hash:ip hashsize 4096 RETVAL=$?
# Add IP addresses here (see examples below)... ################################################ /sbin/ipset add droplist 192.168.0.5 /sbin/ipset add droplist 192.168.0.6 ################################################ ;; stop) echo "Destroy droplist" /sbin/ipset destroy droplist RETVAL=\$? ;;
esac
exit $RETVAL EOF
chmod ug+rx /usr/local/bin/droplist.sh
- Create the service to create the droplist before firewalld starts:
cat > /etc/systemd/system/droplist.service <<EOF [Unit] Description=Droplist Before=firewalld.service
[Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/bin/droplist.sh start ExecStop=/usr/local/bin/droplist.sh stop
[Install] WantedBy=basic.target EOF
- Use the droplist permanently in firewalld. A firewalld reload is
needed to activate it (firewall-cmd --reload):
cat > /etc/firewalld/direct.xml <<EOF
<?xml version="1.0" encoding="utf-8"?>
<direct> <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set --match-set droplist src -j DROP</rule> </direct> EOF
Please remember that you can not destroy a set that is in use by the firewall. Also if a set is needed in a rule, the set has to be created before the rule can be added to the firewall. But you can add entries to and remove entries from the set while it is in use already. It is not possible to mix IPv4 and IPv6 addresses in a set. Use one set for IPv4 and another one for IPv6 instead. Please have a look at the ipset man page. If you are also using network address, please use hash:net.
As firewalld is not able to handle ipsets itself, you have to make sure that the ipset you want to use in the firewall is created before firewalld starts, otherwise adding the rule using the set will fail. ipset does not provide an init or systemd service atm.
You can add permanent direct rules with firewalld version 0.3.4 with the direct.xml file in /etc/firewalld. The D-Bus interface for permanent direct rules is in the GIT repo since some days now and the command line support and UI stuff will be there soon.
BTW: The addition of address sets is on my the TODO list for rich language, but this will most likely take some time.
I have over 8000 host IPs that I drop using:
-A INPUT -s 222.221.2.210 -j DROP -A INPUT -s 222.221.12.13 -j DROP -A INPUT -s 222.221.12.104 -j DROP -A INPUT -s 222.221.88.88 -j DROP
How do I drop connections to hosts that have abused the privilege of connecting to a service?
I was using
for i in `grep DROP iptables | awk '{print $4}' | sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4` do firewall-cmd --permanent --zone=drop --add-source=${i}/32 done
That is extremely slow by the way since two files are written for each add. Took a long time to add 8000+ records. It would be nice to have a batch mode to do multiple inserts.
The public zone is still default. The network interface is in zone home and my VPN connection is in zone work.
Any guidance is greatly appreciated.
John
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards, Thomas
On Thursday, August 22, 2013 07:01:32 PM John Griffiths wrote:
Thomas,
Thank you.
IPSETS are new to me to as well.
They were new to me a few weeks back as well. I am using the following systemd unit to initilize my ipsets at boot, and save any changes at shutdown for the next boot. This unit file won't create the initial ip sets, you kind of need to do that manually, then issue
/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
after you have the rules you want so you have a starting set. After that, this service takes care of the rest. If you want to add an ip address to the set, do so via the normal ipset routine and it will be preserved for the next reboot.
# /usr/lib/systemd/system/ipset.service [Unit] Description=ipset - IP set restore & save Documentation=man:ipset(8) Before=network.target firewalld.service iptables.service ip6tables.service ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service] Type=oneshot ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save RemainAfterExit=yes StandardOutput=journal+console UMask=0177
[Install] WantedBy=basic.target
And I use the following in /etc/firewalld/direct.xml to insert the proper iptables rules which use the ipsets I created. For now, I am only using ipsets to blacklist some pain in the butt scanners:
<?xml version="1.0" encoding="utf-8"?> <direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
Also for clarification, I've created two ipsets which I join in an ipset list:
'blacklist_ipv4' and 'blacklist ipv6' are joined into the 'blacklist' ipset which simplifies the above iptables rules to only have to check the 'blacklist' superset.
I hope to extend this feature in the future by dynamically adding and removing addresses from the ipset by using the 'timeout' parameter, but I need to investigate that further.
For quick reference, to create your *initial* empty ipsets as above, you can issue the following commands:
create blacklist_ipv6 hash:net family inet6 create blacklist_ipv4 hash:net family inet create blacklist list:set size 8 add blacklist blacklist_ipv4 add blacklist blacklist_ipv6
Then do...
ipset -file /etc/sysconfig/ipset.save save systemctl enable ipset.service
I know it seems like a lot, but this revolutionized the crazy Bash scripts I was using before, which worked well, but required a lot of startup time and were less manageable.
I hope this helps. I do look forward to ipset functionality being built into firewalld soon ;)
-A
Anthony,
Thank you.
John
On 08/22/2013 09:19 PM, Anthony Messina wrote:
On Thursday, August 22, 2013 07:01:32 PM John Griffiths wrote:
Thomas,
Thank you.
IPSETS are new to me to as well.
They were new to me a few weeks back as well. I am using the following systemd unit to initilize my ipsets at boot, and save any changes at shutdown for the next boot. This unit file won't create the initial ip sets, you kind of need to do that manually, then issue
/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
after you have the rules you want so you have a starting set. After that, this service takes care of the rest. If you want to add an ip address to the set, do so via the normal ipset routine and it will be preserved for the next reboot.
# /usr/lib/systemd/system/ipset.service [Unit] Description=ipset - IP set restore & save Documentation=man:ipset(8) Before=network.target firewalld.service iptables.service ip6tables.service ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service] Type=oneshot ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save RemainAfterExit=yes StandardOutput=journal+console UMask=0177
[Install] WantedBy=basic.target
And I use the following in /etc/firewalld/direct.xml to insert the proper iptables rules which use the ipsets I created. For now, I am only using ipsets to blacklist some pain in the butt scanners:
<?xml version="1.0" encoding="utf-8"?>
<direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
Also for clarification, I've created two ipsets which I join in an ipset list:
'blacklist_ipv4' and 'blacklist ipv6' are joined into the 'blacklist' ipset which simplifies the above iptables rules to only have to check the 'blacklist' superset.
I hope to extend this feature in the future by dynamically adding and removing addresses from the ipset by using the 'timeout' parameter, but I need to investigate that further.
For quick reference, to create your *initial* empty ipsets as above, you can issue the following commands:
create blacklist_ipv6 hash:net family inet6 create blacklist_ipv4 hash:net family inet create blacklist list:set size 8 add blacklist blacklist_ipv4 add blacklist blacklist_ipv6
Then do...
ipset -file /etc/sysconfig/ipset.save save systemctl enable ipset.service
I know it seems like a lot, but this revolutionized the crazy Bash scripts I was using before, which worked well, but required a lot of startup time and were less manageable.
I hope this helps. I do look forward to ipset functionality being built into firewalld soon ;)
-A
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
On 08/23/2013 01:01 AM, John Griffiths wrote:
Thomas,
Thank you.
IPSETS are new to me to as well.
iptables was fairly straight forward.
I know that Fedora is a somewhat bleeding edge distribution, but it seems sometimes things are changed just for the sake of change. I am a great believer in "if it isn't broken, don't fix it." Oh well, it is what it is. And I am greatful to all who do the hard work in the Fedora community. I contribute as I can.
Just to clarify, I could add IPs to the drop zone with my network interface in the home or work or some other zone and the drop zone would be checked first and any sources found in the drop zone would be disconnected before hitting the other zones. That is, if ssh is enabled in home and a host in the drop zone tried to connect using ssh, the host would not be able to connect. Is that correct?
If a source address is bound to a zone, this will be checked first. Other zones are checked later on if the packed has not been dropped or rejected in the zone.
If you have source address ranges and also sub areas and single addresses from these ranges, then this is currently not solved completely. This is something we have to work on to get this properly ordered also: Deny then allow. At the moment this is first added first served.
Also another bit of clarification, you state that the ipset can be modified while in use by firewalld. Do I understand correctly that if I create an ipset and add a rule to firewalld to drop the IPs in the ipset and I add an IP or delete and IP from the ipset while firewalld is using it, firewalld will start or stop dropping the IP without having to reload firewalld?
Yes, the ipset is used in netfilter (kernel) directly. If you modify the set the change is effective immediately. Without the need of any change to or by firewalld.
Sorry if I am being a bit in need of hand holding, but we are talking about the security of a server. Right now I am working on the inactive server, but I want to have a better understanding before I use firewalld on a live server.
No probelm, you are welcome.
A suggestion would to make note of all the noob questions like mine and add or change the documentation to make the points more clear.
Yes, that is a very good idea.
Thanks, John
Regards, Thomas
firewalld-users@lists.fedorahosted.org