Loading ...
Sorry, an error occurred while loading the content.
 

Re: NSLU2 web server was attacked by chinese computers, use of iptables

Expand Messages
  • reuter.rudolf
    Hello Mario, as a fist thing, I forgot to mention I am using slugOS 4.8 on my NSLU2. Fail2Ban is an interesting program. But it is mainly for SSH use. See the
    Message 1 of 5 , Mar 3, 2009
      Hello Mario,

      as a fist thing, I forgot to mention I am using slugOS 4.8 on my NSLU2.

      Fail2Ban is an interesting program. But it is mainly for SSH use. See
      the docu:
      First of all, remember that Fail2ban is a log parser. It cannot do
      anything before something is written in the log files.
      ... and is mainly looking for password abuse.

      Therefore it would not help in my case.

      Regards, Rudolf

      --- In nslu2-linux@yahoogroups.com, "Mario Ruprecht" <mario@...> wrote:
      >
      > Maybe Fail2Ban could be an alternative to control iptables?
      > http://www.fail2ban.org/wiki/index.php/Main_Page
      >
      > Not sure if it's available for Unslung, though.
      >
      > Cheers, Mario
      >
      > --
      > <http://www.knecht-ruprecht.info/> http://www.knecht-ruprecht.info
      >
      >
      >
      >
      > _____
      >
      > From: nslu2-linux@yahoogroups.com [mailto:nslu2-linux@yahoogroups.com]
      > On Behalf Of reuter.rudolf
      > Sent: Tuesday, March 03, 2009 8:05 AM
      > To: nslu2-linux@yahoogroups.com
      > Subject: [nslu2-linux] NSLU2 web server was attacked by chinese
      > computers, use of iptables
      >
      >
      >
      > HowTo block IP number ranges from input with iptables.
      > Unfortunately kernel-module-ipt-iprange is missing in the slugOS5 feed.
      >
      > My NSLU2 web server (moinmoin Python standalone server) was yesterday
      > attacked by chinese cmputers (use Reverse DNS), so my web site was no
      > longer available to the public. The IP numbers in the access log of
      > the web server showed in most cases at "reverse DNS" that they come
      > from China. So what to do?
      > Google was my friend and I found under http://www.okean
      > <http://www.okean.com> com a list
      > (china.txt) of IP number ranges (530) from China. Most of the
      > attackers IP numbers could be found in those number ranges. But how to
      > exclude them from web server access?
      > A search in the internet recommended the use of iptables. Up to now I
      > have seen only to exclude single IP numbers from access. Fortunately
      > there is an extension to iptables available "iprange" (kernel-module).
      > What has to be installed:
      > ipkg install iptables
      > ipkg install iptables-utils
      > ipkg install iptables-doc
      > ipkg install kernel-module-ip-tables
      > ipkg install kernel-module-ipt-iprange # fehlt in SlugOS5
      > depmode -a
      > modprobe ip_tables
      > modprobe ipt-iprange
      > Test:
      > root@LKG95AC9E:~$ lsmod
      > Module Size Used by
      > ipt_iprange 832 529
      > iptable_filter 1472 1
      > ip_tables 9832 1 iptable_filter
      > x_tables 8548 2 ipt_iprange,ip_tables
      >
      > How to define ranges in iptables, example:
      > iptables -A INPUT -m iprange --src-range 58.14.0.0-58.25.255.255 -j DROP
      >
      > You can imagin, that it is not very convenient to type 530 lines like
      > the above. So I wrote a little Python script to do the work:
      > #!/usr/bin/env python
      > # use: script to setup iptables with blacklist iprange
      > # 2009-03-02 iptables_blacklist.py, RR
      >
      > blacklist = "china_blacklist.txt"
      > blacklist_sh = "china_blacklist.sh"
      >
      > sline = ""
      > sline2 = ""
      > sline3 = ""
      >
      > try:
      > fbl = file(blacklist, 'r')
      > fbls = file(blacklist_sh, 'w')
      > fbls.write("#!/bin/sh \n")
      > for sline in fbl:
      > if sline.find("#"): # filter comments
      > sline2 = sline.replace(' - ', '-')
      > sline2 = sline2.replace(' China', '')
      > sline2 = sline2.replace('\n', '') # remove EOL
      > #print sline2 # append "," for no EOL
      > sline3 = "iptables -I INPUT -m iprange --src-range "
      > sline3 = sline3 + sline2 + " -j DROP"
      > fbls.write(sline3 + "\n")
      > fbl.close()
      > fbls.close()
      > except:
      > print 'File not found: ' + blacklist
      >
      > After editing the file iptables_blacklist.py either set the execute
      > bits, or call "python iptables_blacklist.py".
      > Then either set the execute bits of "china_blacklist.sh", or call "sh
      > china_blacklist.sh". Test it with:
      > root@LKG95AC9E:~/iptables$ iptables -L
      > Chain INPUT (policy ACCEPT)
      > target prot opt source destination
      > DROP all -- anywhere anywhere source IP
      > range 222.240.0.0-222.249.249.255
      > ...
      >
      > In order to save the iptables settings use "iptables-save
      > >iptables.sav". After that you can restore the parameters with
      > "iptables-restore iptables.sav".
      > What I have not done up to now is to provide a startup script in
      > /etc/init.d.
      >
      > I hope it will help people who are in the same situation like me.
      > Regards, Rudolf
      >
      > p.s. Unfortunately kernel-module-ipt-iprange is missing in the slugOS5
      > feed.
      >
    • Mario Ruprecht
      No, it s not limited to this use case. I know colleagues who are using it to find spammers (email servers in addition to SpamAssasin) or monitoring Apache and
      Message 2 of 5 , Mar 3, 2009
        No, it's not limited to this use case. I know colleagues who are using it to find spammers (email servers in addition to SpamAssasin) or monitoring Apache and FTP log files.
        Can handle more than one service (sshd, apache, vsftpd, etc).
         
        Cheers, Mario

        --
        http://www.knecht-ruprecht.info

         


        From: nslu2-linux@yahoogroups.com [mailto:nslu2-linux@yahoogroups.com] On Behalf Of reuter.rudolf
        Sent: Tuesday, March 03, 2009 9:03 AM
        To: nslu2-linux@yahoogroups.com
        Subject: [nslu2-linux] Re: NSLU2 web server was attacked by chinese computers, use of iptables

        Hello Mario,

        as a fist thing, I forgot to mention I am using slugOS 4.8 on my NSLU2.

        Fail2Ban is an interesting program. But it is mainly for SSH use. See
        the docu:
        First of all, remember that Fail2ban is a log parser. It cannot do
        anything before something is written in the log files.
        ... and is mainly looking for password abuse.

        Therefore it would not help in my case.

        Regards, Rudolf

        --- In nslu2-linux@ yahoogroups. com, "Mario Ruprecht" <mario@...> wrote:

        >
        > Maybe Fail2Ban could
        be an alternative to control iptables?
        >
        href="http://www.fail2ban.org/wiki/index.php/Main_Page">http://www.fail2ban .org/wiki/ index.php/ Main_Page
        >
        > Not sure if it's available for Unslung, though.
        >
        >
        Cheers, Mario
        >
        > --
        > <
        href="http://www.knecht-ruprecht.info/">http://www.knecht- ruprecht. info/> http://www.knecht- ruprecht. info
        >
        >
        >
        >
        > _____
        >
        > From:
        href="mailto:nslu2-linux%40yahoogroups.com">nslu2-linux@ yahoogroups. com [mailto:nslu2-linux@ yahoogroups. com]
        >
        On Behalf Of reuter.rudolf
        > Sent: Tuesday, March 03, 2009 8:05 AM
        >
        To: nslu2-linux@ yahoogroups. com
        >
        Subject: [nslu2-linux] NSLU2 web server was attacked by chinese
        >
        computers, use of iptables
        >
        >
        >
        > HowTo block IP
        number ranges from input with iptables.
        > Unfortunately
        kernel-module- ipt-iprange is missing in the slugOS5 feed.
        >
        >
        My NSLU2 web server (moinmoin Python standalone server) was yesterday
        >
        attacked by chinese cmputers (use Reverse DNS), so my web site was no
        >
        longer available to the public. The IP numbers in the access log of
        > the
        web server showed in most cases at "reverse DNS" that they come
        > from
        China. So what to do?
        > Google was my friend and I found under
        href="http://www.okean.">http://www.okean.
        > <
        href="http://www.okean.com">http://www.okean. com> com a list
        >
        (china.txt) of IP number ranges (530) from China. Most of the
        > attackers
        IP numbers could be found in those number ranges. But how to
        > exclude
        them from web server access?
        > A search in the internet recommended the
        use of iptables. Up to now I
        > have seen only to exclude single IP numbers
        from access. Fortunately
        > there is an extension to iptables available
        "iprange" (kernel-module) .
        > What has to be installed:
        > ipkg
        install iptables
        > ipkg install iptables-utils
        > ipkg install
        iptables-doc
        > ipkg install kernel-module- ip-tables
        > ipkg
        install kernel-module- ipt-iprange # fehlt in SlugOS5
        > depmode
        -a
        > modprobe ip_tables
        > modprobe ipt-iprange
        > Test:
        >
        root@LKG95AC9E: ~$ lsmod
        > Module Size Used by
        > ipt_iprange 832
        529
        > iptable_filter 1472 1
        > ip_tables 9832 1
        iptable_filter
        > x_tables 8548 2 ipt_iprange, ip_tables
        >
        > How to define ranges in iptables, example:
        > iptables -A INPUT -m
        iprange --src-range 58.14.0.0-58. 25.255.255 -j DROP
        >
        > You
        can imagin, that it is not very convenient to type 530 lines like
        > the
        above. So I wrote a little Python script to do the work:
        > #!/usr/bin/env
        python
        > # use: script to setup iptables with blacklist iprange
        > #
        2009-03-02 iptables_blacklist. py, RR
        >
        > blacklist =
        "china_blacklist. txt"
        > blacklist_sh =
        "china_blacklist. sh"
        >
        > sline = ""
        > sline2 =
        ""
        > sline3 = ""
        >
        > try:
        > fbl = file(blacklist,
        'r')
        > fbls = file(blacklist_ sh, 'w')
        >
        fbls.write(" #!/bin/sh \n")
        > for sline in fbl:
        > if
        sline.find(" #"): # filter comments
        > sline2 = sline.replace( ' -
        ', '-')
        > sline2 = sline2.replace( ' China', '')
        > sline2 =
        sline2.replace( '\n', '') # remove EOL
        > #print sline2 # append ","
        for no EOL
        > sline3 = "iptables -I INPUT -m iprange --src-range "
        >
        sline3 = sline3 + sline2 + " -j DROP"
        > fbls.write(sline3 + "\n")
        >
        fbl.close()
        > fbls.close()
        > except:
        > print 'File not found:
        ' + blacklist
        >
        > After editing the file iptables_blacklist. py
        either set the execute
        > bits, or call "python
        iptables_blacklist. py".
        > Then either set the execute bits of
        "china_blacklist. sh", or call "sh
        > china_blacklist. sh". Test it
        with:
        > root@LKG95AC9E: ~/iptables$ iptables -L
        > Chain INPUT
        (policy ACCEPT)
        > target prot opt source destination
        > DROP all --
        anywhere anywhere source IP
        > range
        222.240.0.0- 222.249.249. 255
        > ...
        >
        > In order to
        save the iptables settings use "iptables-save
        > >iptables.sav" .
        After that you can restore the parameters with
        > "iptables-restore
        iptables.sav" .
        > What I have not done up to now is to provide a
        startup script in
        > /etc/init.d.
        >
        > I hope it will help
        people who are in the same situation like me.
        > Regards, Rudolf
        >
        > p.s. Unfortunately kernel-module- ipt-iprange is missing in the
        slugOS5
        > feed.
        >

      • Nick W
        There s a internet blocklist available at dnsbl. If you just install rsync you can get it by doing something like:- rsync -az
        Message 3 of 5 , Mar 3, 2009
          There's a internet blocklist available at dnsbl.  If you just install rsync you can get it by doing something like:-
           
          rsync -az rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-3.uceprotect.net
           
          uceprotect.net make available a very simple file for downloading and applying the blocklist by iptables... but I have to admit that it didn't completely work.. so I've modified it..  I've cut it into three parts... a Generic "lockdown" script to keep the server generally safe (Knockd, ssh, lighty, dns, samba compatible),  A "Blocklist_Get" to download the file and "Blocklist_apply" to   insert all the entries into iptables. It uses /var/tmp as a place to shove the blocklist when it downloads it.
           
          It works on Debian, but the apply stage takes a while. Here are my three files... I run them manually, but I see no reason why they can't be cronned.   (assumes eth0 is the network device pointed to the local domain).
           
          I hope they are of some help to you.
           
          All the best,
           
          Nick
           
           
           
           
          ###################################################
          ############ LOCKDOWN ###############################
          ##### Run this after the Slug starts up to close any doors. ###########
          ####################################################
          #Create the blacklist chain
          iptables -N BLACKLIST
          iptables -F BLACKLIST
          #flush and generate input chain.
          iptables -F INPUT
          #Accept the localhost
          iptables -A INPUT -i lo -j ACCEPT
          #Accept any established connections
          iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
          #Accept any name queries from the local domain
          iptables -A INPUT -i eth0 -p tcp --dport 53 -m iprange --src-range 192.168.1.1-192.168.1
          .254
          iptables -A INPUT -i eth0 -p udp --dport 53 -m iprange --src-range 192.168.1.1-192.168.1
          .254 -j ACCEPT
          #Accept any FTP / SSH from the local domain
          iptables -A INPUT -i eth0 -p tcp --dport 20:22 -m iprange --src-range 192.168.1.50-192.1
          68.1.60 -j ACCEPT
          #Accept any SMB stuff from the local domain
          iptables -A INPUT -i eth0 -p tcp --dport 137:139 -m iprange --src-range 192.168.1.50-192
          .168.1.60 -j ACCEPT
          iptables -A INPUT -i eth0 -p tcp --dport 445 -m iprange --src-range 192.168.1.50-192.168
          .1.60 -j ACCEPT

          #Accept any non-protected port stuff from the local domain
          iptables -A INPUT -i eth0 -p tcp --dport 1024:65535 -m iprange --src-range 192.168.1.50-
          192.168.1.60 -j ACCEPT
           
          #Accept DHCP requests from inside
          # The router denies DHCP requests from outside! handy, eh?
          iptables -A INPUT -i eth0 -p udp -s 0.0.0.0 --dport 68  -j ACCEPT
          #jump all unknown stuff to the blacklist.
          iptables -A INPUT -j BLACKLIST
          #and when returning, it must be okay, so if it's port 80 accept it.
          iptables -A INPUT -p tcp --dport 80 -j ACCEPT
          #the default is to drop it.
          iptables -P INPUT DROP
          ###################################################
           
           
           
           
           
           
           
          #####################################################
          ############ blocklist_get ################################
          ### Run this once a month or so to get the latest blocklist from uceprotect ##
          #####################################################
           
          #!/bin/bash
          IPT=/sbin/iptables
          CHAIN=BLACKLIST
          DEBUG=true
          TMPDIR=/var/tmp
          LOGFILE=/var/log/uce.log
          CMD="rsync -az rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-3.uceprotect.net"
          if [ `ps -ef | grep $0 | grep -v grep | wc -l` -gt 2 ]; then
              ps -ef | grep $0 | grep -v grep
              echo i am already running
              exit 142
          fi
          $IPT -nL | grep $CHAIN >/dev/null || $IPT -N $CHAIN
          cd $TMPDIR
          cp dnsbl-3.uceprotect.net dnsbl-3.uceprotect.net.old
          $CMD $TMPDIR >/dev/null || exit -42

          #############################################################
           
           
           
           
           
           
           
          #####################################################
          ############ blocklist_apply ################################
          ### Run this after lockdown to apply the latest blocklist.. it takes a while :) ##
          #####################################################
           
          #!/bin/bash
          IPT=/sbin/iptables
          CHAIN=BLACKLIST
          DEBUG=false
          TMPDIR=/var/tmp
          LOGFILE=/var/log/uce.log
          DIFFILE=$TMPDIR/dif$$
          for ip in `grep ^[0-9] $TMPDIR/dnsbl-3.uceprotect.net | cut -d" " -f1`; do
              $DEBUG && echo INIT $ip;
              `iptables -A $CHAIN -s $ip -j DROP`
          done
          exit
           
          #to monitor the stuff:
          #watch -d -n1 'iptables -vnL blacklist | grep -v " 0 DROP" | sort -n | tail -50'
           
           
           
           
           
           





           

          To: nslu2-linux@yahoogroups.com
          From: reuterru@...
          Date: Tue, 3 Mar 2009 07:04:37 +0000
          Subject: [nslu2-linux] NSLU2 web server was attacked by chinese computers, use of iptables

          HowTo block IP number ranges from input with iptables.
          Unfortunately kernel-module- ipt-iprange is missing in the slugOS5 feed.

          My NSLU2 web server (moinmoin Python standalone server) was yesterday
          attacked by chinese cmputers (use Reverse DNS), so my web site was no
          longer available to the public. The IP numbers in the access log of
          the web server showed in most cases at "reverse DNS" that they come
          from China. So what to do?
          Google was my friend and I found under http://www.okean. com a list
          (china.txt) of IP number ranges (530) from China. Most of the
          attackers IP numbers could be found in those number ranges. But how to
          exclude them from web server access?
          A search in the internet recommended the use of iptables. Up to now I
          have seen only to exclude single IP numbers from access. Fortunately
          there is an extension to iptables available "iprange" (kernel-module) .
          What has to be installed:
          ipkg install iptables
          ipkg install iptables-utils
          ipkg install iptables-doc
          ipkg install kernel-module- ip-tables
          ipkg install kernel-module- ipt-iprange # fehlt in SlugOS5
          depmode -a
          modprobe ip_tables
          modprobe ipt-iprange
          Test:
          root@LKG95AC9E: ~$ lsmod
          Module Size Used by
          ipt_iprange 832 529
          iptable_filter 1472 1
          ip_tables 9832 1 iptable_filter
          x_tables 8548 2 ipt_iprange, ip_tables

          How to define ranges in iptables, example:
          iptables -A INPUT -m iprange --src-range 58.14.0.0-58. 25.255.255 -j DROP

          You can imagin, that it is not very convenient to type 530 lines like
          the above. So I wrote a little Python script to do the work:
          #!/usr/bin/env python
          # use: script to setup iptables with blacklist iprange
          # 2009-03-02 iptables_blacklist. py, RR

          blacklist = "china_blacklist. txt"
          blacklist_sh = "china_blacklist. sh"

          sline = ""
          sline2 = ""
          sline3 = ""

          try:
          fbl = file(blacklist, 'r')
          fbls = file(blacklist_ sh, 'w')
          fbls.write(" #!/bin/sh \n")
          for sline in fbl:
          if sline.find(" #"): # filter comments
          sline2 = sline.replace( ' - ', '-')
          sline2 = sline2.replace( ' China', '')
          sline2 = sline2.replace( '\n', '') # remove EOL
          #print sline2 # append "," for no EOL
          sline3 = "iptables -I INPUT -m iprange --src-range "
          sline3 = sline3 + sline2 + " -j DROP"
          fbls.write(sline3 + "\n")
          fbl.close()
          fbls.close()
          except:
          print 'File not found: ' + blacklist

          After editing the file iptables_blacklist. py either set the execute
          bits, or call "python iptables_blacklist. py".
          Then either set the execute bits of "china_blacklist. sh", or call "sh
          china_blacklist. sh". Test it with:
          root@LKG95AC9E: ~/iptables$ iptables -L
          Chain INPUT (policy ACCEPT)
          target prot opt source destination
          DROP all -- anywhere anywhere source IP
          range 222.240.0.0- 222.249.249. 255
          ...

          In order to save the iptables settings use "iptables-save
          >iptables.sav" . After that you can restore the parameters with
          "iptables-restore iptables.sav" .
          What I have not done up to now is to provide a startup script in
          /etc/init.d.

          I hope it will help people who are in the same situation like me.
          Regards, Rudolf

          p.s. Unfortunately kernel-module- ipt-iprange is missing in the slugOS5
          feed.




          Windows Live Hotmail just got better. Find out more!
        Your message has been successfully submitted and would be delivered to recipients shortly.