Loading ...
Sorry, an error occurred while loading the content.

RE: [nslu2-linux] NSLU2 web server was attacked by chinese computers, use of iptables

Expand Messages
  • Nick W
    There s a internet blocklist available at dnsbl. If you just install rsync you can get it by doing something like:- rsync -az
    Message 1 of 5 , Mar 3, 2009
    • 0 Attachment
      There's a internet blocklist available at dnsbl.  If you just install rsync you can get it by doing something like:-
       
      rsync -az rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-3.uceprotect.net
       
      uceprotect.net make available a very simple file for downloading and applying the blocklist by iptables... but I have to admit that it didn't completely work.. so I've modified it..  I've cut it into three parts... a Generic "lockdown" script to keep the server generally safe (Knockd, ssh, lighty, dns, samba compatible),  A "Blocklist_Get" to download the file and "Blocklist_apply" to   insert all the entries into iptables. It uses /var/tmp as a place to shove the blocklist when it downloads it.
       
      It works on Debian, but the apply stage takes a while. Here are my three files... I run them manually, but I see no reason why they can't be cronned.   (assumes eth0 is the network device pointed to the local domain).
       
      I hope they are of some help to you.
       
      All the best,
       
      Nick
       
       
       
       
      ###################################################
      ############ LOCKDOWN ###############################
      ##### Run this after the Slug starts up to close any doors. ###########
      ####################################################
      #Create the blacklist chain
      iptables -N BLACKLIST
      iptables -F BLACKLIST
      #flush and generate input chain.
      iptables -F INPUT
      #Accept the localhost
      iptables -A INPUT -i lo -j ACCEPT
      #Accept any established connections
      iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      #Accept any name queries from the local domain
      iptables -A INPUT -i eth0 -p tcp --dport 53 -m iprange --src-range 192.168.1.1-192.168.1
      .254
      iptables -A INPUT -i eth0 -p udp --dport 53 -m iprange --src-range 192.168.1.1-192.168.1
      .254 -j ACCEPT
      #Accept any FTP / SSH from the local domain
      iptables -A INPUT -i eth0 -p tcp --dport 20:22 -m iprange --src-range 192.168.1.50-192.1
      68.1.60 -j ACCEPT
      #Accept any SMB stuff from the local domain
      iptables -A INPUT -i eth0 -p tcp --dport 137:139 -m iprange --src-range 192.168.1.50-192
      .168.1.60 -j ACCEPT
      iptables -A INPUT -i eth0 -p tcp --dport 445 -m iprange --src-range 192.168.1.50-192.168
      .1.60 -j ACCEPT

      #Accept any non-protected port stuff from the local domain
      iptables -A INPUT -i eth0 -p tcp --dport 1024:65535 -m iprange --src-range 192.168.1.50-
      192.168.1.60 -j ACCEPT
       
      #Accept DHCP requests from inside
      # The router denies DHCP requests from outside! handy, eh?
      iptables -A INPUT -i eth0 -p udp -s 0.0.0.0 --dport 68  -j ACCEPT
      #jump all unknown stuff to the blacklist.
      iptables -A INPUT -j BLACKLIST
      #and when returning, it must be okay, so if it's port 80 accept it.
      iptables -A INPUT -p tcp --dport 80 -j ACCEPT
      #the default is to drop it.
      iptables -P INPUT DROP
      ###################################################
       
       
       
       
       
       
       
      #####################################################
      ############ blocklist_get ################################
      ### Run this once a month or so to get the latest blocklist from uceprotect ##
      #####################################################
       
      #!/bin/bash
      IPT=/sbin/iptables
      CHAIN=BLACKLIST
      DEBUG=true
      TMPDIR=/var/tmp
      LOGFILE=/var/log/uce.log
      CMD="rsync -az rsync-mirrors.uceprotect.net::RBLDNSD-ALL/dnsbl-3.uceprotect.net"
      if [ `ps -ef | grep $0 | grep -v grep | wc -l` -gt 2 ]; then
          ps -ef | grep $0 | grep -v grep
          echo i am already running
          exit 142
      fi
      $IPT -nL | grep $CHAIN >/dev/null || $IPT -N $CHAIN
      cd $TMPDIR
      cp dnsbl-3.uceprotect.net dnsbl-3.uceprotect.net.old
      $CMD $TMPDIR >/dev/null || exit -42

      #############################################################
       
       
       
       
       
       
       
      #####################################################
      ############ blocklist_apply ################################
      ### Run this after lockdown to apply the latest blocklist.. it takes a while :) ##
      #####################################################
       
      #!/bin/bash
      IPT=/sbin/iptables
      CHAIN=BLACKLIST
      DEBUG=false
      TMPDIR=/var/tmp
      LOGFILE=/var/log/uce.log
      DIFFILE=$TMPDIR/dif$$
      for ip in `grep ^[0-9] $TMPDIR/dnsbl-3.uceprotect.net | cut -d" " -f1`; do
          $DEBUG && echo INIT $ip;
          `iptables -A $CHAIN -s $ip -j DROP`
      done
      exit
       
      #to monitor the stuff:
      #watch -d -n1 'iptables -vnL blacklist | grep -v " 0 DROP" | sort -n | tail -50'
       
       
       
       
       
       





       

      To: nslu2-linux@yahoogroups.com
      From: reuterru@...
      Date: Tue, 3 Mar 2009 07:04:37 +0000
      Subject: [nslu2-linux] NSLU2 web server was attacked by chinese computers, use of iptables

      HowTo block IP number ranges from input with iptables.
      Unfortunately kernel-module- ipt-iprange is missing in the slugOS5 feed.

      My NSLU2 web server (moinmoin Python standalone server) was yesterday
      attacked by chinese cmputers (use Reverse DNS), so my web site was no
      longer available to the public. The IP numbers in the access log of
      the web server showed in most cases at "reverse DNS" that they come
      from China. So what to do?
      Google was my friend and I found under http://www.okean. com a list
      (china.txt) of IP number ranges (530) from China. Most of the
      attackers IP numbers could be found in those number ranges. But how to
      exclude them from web server access?
      A search in the internet recommended the use of iptables. Up to now I
      have seen only to exclude single IP numbers from access. Fortunately
      there is an extension to iptables available "iprange" (kernel-module) .
      What has to be installed:
      ipkg install iptables
      ipkg install iptables-utils
      ipkg install iptables-doc
      ipkg install kernel-module- ip-tables
      ipkg install kernel-module- ipt-iprange # fehlt in SlugOS5
      depmode -a
      modprobe ip_tables
      modprobe ipt-iprange
      Test:
      root@LKG95AC9E: ~$ lsmod
      Module Size Used by
      ipt_iprange 832 529
      iptable_filter 1472 1
      ip_tables 9832 1 iptable_filter
      x_tables 8548 2 ipt_iprange, ip_tables

      How to define ranges in iptables, example:
      iptables -A INPUT -m iprange --src-range 58.14.0.0-58. 25.255.255 -j DROP

      You can imagin, that it is not very convenient to type 530 lines like
      the above. So I wrote a little Python script to do the work:
      #!/usr/bin/env python
      # use: script to setup iptables with blacklist iprange
      # 2009-03-02 iptables_blacklist. py, RR

      blacklist = "china_blacklist. txt"
      blacklist_sh = "china_blacklist. sh"

      sline = ""
      sline2 = ""
      sline3 = ""

      try:
      fbl = file(blacklist, 'r')
      fbls = file(blacklist_ sh, 'w')
      fbls.write(" #!/bin/sh \n")
      for sline in fbl:
      if sline.find(" #"): # filter comments
      sline2 = sline.replace( ' - ', '-')
      sline2 = sline2.replace( ' China', '')
      sline2 = sline2.replace( '\n', '') # remove EOL
      #print sline2 # append "," for no EOL
      sline3 = "iptables -I INPUT -m iprange --src-range "
      sline3 = sline3 + sline2 + " -j DROP"
      fbls.write(sline3 + "\n")
      fbl.close()
      fbls.close()
      except:
      print 'File not found: ' + blacklist

      After editing the file iptables_blacklist. py either set the execute
      bits, or call "python iptables_blacklist. py".
      Then either set the execute bits of "china_blacklist. sh", or call "sh
      china_blacklist. sh". Test it with:
      root@LKG95AC9E: ~/iptables$ iptables -L
      Chain INPUT (policy ACCEPT)
      target prot opt source destination
      DROP all -- anywhere anywhere source IP
      range 222.240.0.0- 222.249.249. 255
      ...

      In order to save the iptables settings use "iptables-save
      >iptables.sav" . After that you can restore the parameters with
      "iptables-restore iptables.sav" .
      What I have not done up to now is to provide a startup script in
      /etc/init.d.

      I hope it will help people who are in the same situation like me.
      Regards, Rudolf

      p.s. Unfortunately kernel-module- ipt-iprange is missing in the slugOS5
      feed.




      Windows Live Hotmail just got better. Find out more!
    Your message has been successfully submitted and would be delivered to recipients shortly.