You are not logged in.
- Topics: Active | Unanswered
#1 2011-11-21 17:17:02
- drcouzelis
- Member
- From: Connecticut, USA
- Registered: 2009-11-09
- Posts: 4,092
- Website
Best way to block a large list of IP addresses
I'm in the process of taking further steps to protect my home Web / SSH server from malicious attacks. The next thing I'd like to try doing is block a large list of known malicious IP addresses that I have listed in a text file.
I followed the Arch Wiki and set up a simple stateful firewall using iptables, but now I'm a bit stuck...
I tried using a little bash script to tell iptables to block all of the addresses in the list. It seemed clunky since it takes about 30 seconds for the script to run. Also, I'm not even sure where the best place would be to run the script in Arch Linux.
I considered saving all of those blocked IP addresses in my actual iptables settings file, but I feel that would make it difficult for me to easily download and use a new list of malicious IP addresses.
I looked into some other firewall applications. None of them seem to have the simplicity of iptables, but I may just be uneducated on the topic.
So... Does anyone have a suggestion for easily blocking a large list of malicious IP addresses on my home server? Is it feasable to do with iptables? Should I use a different firewall application? Is it even worth it, security wise, to block these addresses?
Thank you.
Offline
#2 2011-11-21 18:03:23
- dodo3773
- Member
- Registered: 2011-03-17
- Posts: 818
Re: Best way to block a large list of IP addresses
I'm in the process of taking further steps to protect my home Web / SSH server from malicious attacks. The next thing I'd like to try doing is block a large list of known malicious IP addresses that I have listed in a text file.
I followed the Arch Wiki and set up a simple stateful firewall using iptables, but now I'm a bit stuck...
I tried using a little bash script to tell iptables to block all of the addresses in the list. It seemed clunky since it takes about 30 seconds for the script to run. Also, I'm not even sure where the best place would be to run the script in Arch Linux.
I considered saving all of those blocked IP addresses in my actual iptables settings file, but I feel that would make it difficult for me to easily download and use a new list of malicious IP addresses.
I looked into some other firewall applications. None of them seem to have the simplicity of iptables, but I may just be uneducated on the topic.
So... Does anyone have a suggestion for easily blocking a large list of malicious IP addresses on my home server? Is it feasable to do with iptables? Should I use a different firewall application? Is it even worth it, security wise, to block these addresses?
Thank you.
Use iplist / ipblock. I have been using it for some time for this exact reason. It uses iptables as its back end I am pretty sure. It has a pretty decent log too. Make sure to convert your lists after configuration with "ipblock -c" and they will load a lot faster.
Offline
#3 2011-11-21 19:28:50
- R00KIE
- Forum Fellow
- From: Between a computer and a chair
- Registered: 2008-09-14
- Posts: 4,734
Re: Best way to block a large list of IP addresses
You could also use some awk-fu to create an iptables config/save file and load that instead, it will be very fast to create and very fast to load. If you do it properly it will only touch only the chain of blocked ips.
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
#4 2011-11-21 22:27:59
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,224
- Website
Re: Best way to block a large list of IP addresses
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#5 2011-11-22 03:41:33
- drcouzelis
- Member
- From: Connecticut, USA
- Registered: 2009-11-09
- Posts: 4,092
- Website
Re: Best way to block a large list of IP addresses
Thank you for the suggestions. I like the how ipset is a software companion to iptables, so I decided to use that.
...and OH BOY has it been hard to grasp. I think I got it, though.
Ok, so I have iptables loaded in my DAEMONS array. I created the directory "/etc/ipset/deny/" which now contains five files filled with lists of naughty IP addresses from here. I then created the script "/etc/ipset/init-deny" like so:
#!/bin/bash
# Create a set of naughty IP addresses
ipset create denyset hash:net -quiet
# Add the addresses to the set
for ipaddress in $(egrep -h -v -E "^#|^$" /etc/ipset/deny/*); do
ipset add denyset $ipaddress -quiet
done
# Tell iptables to ignore all addresses in the set
iptables -I INPUT -m set --match-set denyset src -j DROPand call it from "/etc/rc.local". I think it works. (I can't ping any naughty addresses anymore) I think the only part I couldn't really understand was the match set line: whether I should use "--match-set denyset src" or "--match-set denyset src,dst".
I'd love anymore feedback about this setup, especially in regards to where would be the proper place to load the ipset commands. "/etc/rc.local" just feels clunky. 
...also, FYI, for some reason the Arch Linux forums IP address (176.9.18.112) is totally in that guy's list of "exploited" IP addresses. 
Offline
#6 2011-11-23 03:53:43
- drcouzelis
- Member
- From: Connecticut, USA
- Registered: 2009-11-09
- Posts: 4,092
- Website
Re: Best way to block a large list of IP addresses
I created a new package in the AUR to assist in configuring ipset and documented my solution in the Arch Wiki. You can read about it in this thread: https://bbs.archlinux.org/viewtopic.php?pid=1020194
Offline