Monday, April 4, 2016

Loading ipset and iptables on boot in Debian Jessie

Debian Jessie until I write this note, does not provide script to save and load ipset rules.
ipset
-----------------------------------------------------------------------------------------------
saving ipset rules:
# ipset save 
or
# /sbin/ipset save
We follow wiki rules for filename https://wiki.debian.org/iptables (i.e. /etc/iptables.up.rules)
# ipset save > /etc/ipset.up.rules
To save ipset rules to other file
# ipset save > /root/iptablesrules/ipsetrules.save 
To restore ipset rules
# ipset restore -! < /etc/ipset.up.rules
or
# /sbin/ipset restore -! < /etc/ipset.up.rules
iptables (my version v1.4.21)
-----------------------------------------------------------------------------------------------
saving iptables rules
# iptables-save 
or
# /sbin/iptables-save 
We follow wiki rules for filename https://wiki.debian.org/iptables (i.e. /etc/iptables.up.rules)
# iptables-save > /etc/iptables.up.rules
To save iptables rules to other file
# iptables-save > /root/iptablesrules/iptablesrules.save
Note: in iptables-persistent packages, rules are save in file:

  1. /etc/iptables/rules.v4
  2. /etc/iptables/rules.v6

But we do not use iptables-persistent
To restore iptables
# iptables-restore < /etc/iptables.up.rules
or
# /sbin/iptables-restore < /etc/iptables.up.rules
We have some choice to load ipset and iptables on boot:
  1. Manual init.d configuration
  2. Configuring via ifup
    1. put loader in file /etc/network/interface
    2. put script configuration in /etc/network/if-pre-up.d/
Option 1:

To use /etc/network/interface to load ipset and iptables
Edit /etc/network/interface
....
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
   ...
   pre-up ipset restore -! < /etc/ipset.up.rules
   pre-up iptables-restore < /etc/iptables.up.rules
...
Option 2:

To use script configuration in /etc/network/if-pre-up.d/ to load ipset and iptables
Create or edit /etc/network/if-pre-up.d/load.rules
#!/bin/sh
/sbin/ipset restore -! < /etc/ipset.up.rules
/sbin/iptables-restore < /etc/iptables.up.rules
chmod +x /etc/network/if-pre-up.d/load.rules

Note:
  1. Use only one option above.
  2. After adding ip address into ipset rules, don't forget to save it in file etc/ipset.up.rules.
  3. If you use fail2ban, Do not put fail2ban rules in iptables.up.rules. It will automatically configure it self. you need to remove fail2ban rules in file /etc/iptables.up.rules.
Distributing ipset across server farm
This ipset rules can be distributed across your server.
Master ipset can be generated from honeypot/server and distribute it via web. Run this script after you add or edit ipset rules into your root web directory
#!/bin/bash
## create by dedetok April 2016
## last update 2016-04-28
## GNU GPL v3
## Disclaimer: experimental, use it with your own risk
/sbin/ipset save > /etc/ipset.up.rules
# create temporary file to save new ipset rules without fail2ban rules
if [ -f "/root/bin/ipset.up.rules.new" ] ; then
 rm "/root/bin/ipset.up.rules.new"
fi
touch /root/bin/ipset.up.rules.new
while read -r line; do
 if [[ $line != *"fail2ban"* ]]
 then
  echo "$line" >> /root/bin/ipset.up.rules.new
 fi
done < /etc/ipset.up.rules
# copy clean ipset into /etc/ipset.up.rules
cp /root/bin/ipset.up.rules.new /etc/ipset.up.rules
# save it into web or user public_html
#cp /root/bin/ipset.up.rules.new /home/[user]/public_html/ipset.up.rules
cp /root/bin/ipset.up.rules.new /var/www/public_html/ipset.up.rules
Do the following steps on your server farm:
  • Write this bash script to download /root/unduhgarasiku.sh or download
#!/bin/bash
## create by dedetok April 2016
## last update 2017-05-02
## GNU GPL v3
## Disclaimer: experimental, use it with your own risk
echo "download from http://www.garasiku.web.id/ipset.up.rules into /etc/ipset.up.rules.new"
if wget -O /etc/ipset.up.rules.new http://www.garasiku.web.id/ipset.up.rules; then
 chmod 444 /etc/ipset.up.rules.new
 chown root:root /etc/ipset.up.rules.new
 ## Update ipset ignore error, we need fresh list
 echo "updating new rules"
 if /sbin/ipset restore -! < /etc/ipset.up.rules.new; then
  echo "Saving new ipset rules into /etc/ipset.up.rules"
  cp /etc/ipset.up.rules.new /etc/ipset.up.rules
  chmod 544 /etc/ipset.up.rules
  chown root:root /etc/ipset.up.rules
 else
  echo "Error, ipset.up.rules not in ipset format"
  exit 1
 fi
else
 echo "Fail to download ipset.up.rules"
 exit 1
fi
echo "End process"
Old version
#!/bin/bash
## create by dedetok April 2016
## last update 2016-04-15
## GNU GPL v3
## Disclaimer: experimental, use it with your own risk 
echo "download from http://www.garasiku.web.id/ipset.up.rules into /etc/ipset.up.rules.new"
wget -O /etc/ipset.up.rules.new http://www.garasiku.web.id/ipset.up.rules
chmod 444 /etc/ipset.up.rules.new
chown root:root /etc/ipset.up.rules.new
## Compare ipset.up.rules vs ipset.uprules.new
echo "updating new rules"
diff --new-line-format="+ %L" --old-line-format="- $L" <(sort /etc/ipset.up.rules) <(sort /etc/ipset.up.rules.new) |
while IFS=' ' read -r r1 r2 r3 r4; do
 if [ "$r2" = "add" ]; then
  if [ "$r1" = "+" ]; then
   cmdline="/sbin/ipset $r2 $r3 $r4"
   echo "eval $cmdline"
   eval "$cmdline"
  fi
  if [ "$r2" = "-" ]; then
   cmdline="/sbin/ipset del $r3 $r4"
   echo "eval $cmdline"
   eval "$cmdline"
  fi
 fi
done
echo "Saving new ipset rules into /etc/ipset.up.rules"
/sbin/ipset save > /etc/ipset.up.rules
echo "End process"
  • Put it into crontab to update ipset.up.rules everyday at 0 night:
# crontab -e
  • Put this line (you can choose nano editor)
0 0 * * * /root/unduhgarasiku.sh
  • Save it (you can use default file name)
File Name to Write: /tmp/crontab.9uLsb5/crontab
  • iptabes rules for server farm
-A INPUT -m set --match-set mynetrules src -j DROP
-A INPUT -p tcp -m multiport --dports 25,465,587,993,995,465,143,110 -m set --match-set mynetrulessmtp src -j DROP
-A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set mynetruleshttp src -j DROP
-A INPUT -p tcp --dport 22 -m set --match-set mynetrulesssh src -j DROP
-A INPUT -p tcp  -m multiport --dports 21,22 -m set --math-set mynetrulesftp src -j DROP
-A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j DROP
or if you want to limiting connection from class C up to 20 connection -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 25,465,587,993,995,265,143,110 -m connlimit --connlimit-above 8 --connlimit-mask 32 --connlimit-saddr -j DROP
NOTE: don't forget to add your ipset rules into iptables rules in every your server farms and make it persistent. I suggest you create iptables rules in every server, do not copy iptables other server. Every server may have unique iptables rules.
Simple script to analyst authentication log files:
  • Search fail in sshawk '(/authentication fail/ && /ssh/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
  • search fail in smtpawk '(/authentication fail/ && /smtp/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
  • search fail in ftpawk '(/authentication fail/ && /ftp/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
  • search fail in dovecotawk '(/authentication fail/ && /dovecot/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
  • search ssh preauthentication awk '(/Connection closed by/ && /sshd/) { print $(NF-1),$NF}' /var/log/auth.log | sort | uniq -c | sort -n
    awk '(/preaut/ && /sshd/) { print $0}' /var/log/auth.log
  • search fail in mailawk '(/authentication fail/) { print $7}' /var/log/mail.log | sort | uniq -c
Reference:
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)