Friday, May 26, 2017

Blocking IP by country for some ports using ipset

To block IP by country, we need IP blocks for particular country. This step needs IP blocks from http://ipdeny.com/.
We need to convert IP blocks into ipset format, this bash script will do:
  1. Download block ip by country from http://www.ipdeny.com
  2. Convert block ip into ipset format
For IPV4: http://www.ipdeny.com/ipblocks/data/countries/ For IPV6: http://www.ipdeny.com/ipv6/ipaddresses/blocks/
Here is bash script blockcountryip.sh or download from https://garasiku.web.id/ipset/blockcountryip.sh.txt:
#!/bin/bash
# 2017-05-23

if [ "$1" != "" ]; then
 echo $1
 # download ipv4 block
 echo "Download ipv4 $1"
 wget http://www.ipdeny.com/ipblocks/data/countries/$1.zone -O zone.ipv4.$1
 # download ipv6 block
 echo "Download ipv6 $1"
 wget http://www.ipdeny.com/ipv6/ipaddresses/blocks/$1.zone -O zone.ipv6.$1
 mfile1="./zone.ipv4.$1"
 ofile1="./ipv4.ipset.$1"
 touch $ofile1
 echo "creating ipset rules $ofile1 for ipv4"
 echo "create ipv4_$1 hash:net" > $ofile1
 while read line; do
  echo "add ipv4_$1 $line" >> $ofile1
 done <"$mfile1"
 echo "Done creating $ofile1"
 mfile2="./zone.ipv6.$1"
 ofile2="./ipv6.ipset.$1"
 echo "creating ipset rules $ofile2 for ipv6"
 echo "create ipv6_$1 hash:net" > $ofile2
 while read line; do
  echo "add ipv6_$1 $line" >> $ofile2
 done <"$mfile2"
 echo "Done creating $ofile2"
else
 echo "Usage .//blockcountryip.sh countrycode2"
fi
To use this bash script:
# ./blockcountryip.sh [countrycode]
for example to generate IP blocks for China CN
# ./blockcountryip.sh cn
Note: you can download IP block for China from this http://garasiku.web.id/ipset/ipv4.ipset.cn with some additional IP block.
To load it in memory
# ipset restore -! < ipv4.ipset.[countrycode]
[countrycode] is 2 character country code https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
To apply in iptables
# iptables -A INPUT -p tcp -m multiport --dports [any port you wish] -m set --match-set ipv4_[countrycode] src -j DROP
For example to block all IPV4 from China for port 21, 22, 80, 443 and 2222
# iptables -A INPUT -p tcp -m multiport --dports 21,22,80,443,2222 -m set --match-set ipv4_cn src -j DROP 
# iptables -A INPUT -p udp -m multiport --dports 22,2222 -m set --match-set ipv4_cn src -j DROP
Who will care if I block all of their connection:
# iptables -A INPUT -m set --match-set ipv4_cn src -j DROP
To make it persistent, follow your distribution guide how to load ipset and iptables rules every time system start/restart or network start/restart.
Not Working IPV6
Note:
  1. Tunneling SSH may used UDP protocol
  2. Proftpd listen on port 2222
  3. Port 25 uses to communicate with/to other mail server
My github.com: https://github.com/dedetok/bash-block-ip-by-country
 References:

Thursday, May 4, 2017

Windows: Install/deploy XAMP 7.1.1

We would like to test our application on PHP 7.1. To do that, we need to install/deploy XAMPP 7.1.1.
You can download installer or portable XAMPP 7.1.1 packages at https://www.apachefriends.org/download.html or https://sourceforge.net/projects/xampp/files/ (non installer). I prefered to use portable XAMPP 7.1.1 package, xampp-portable-win32-7.1.1-0-VC14.7z.
XAMPP 7.1.1 required Microsoft Visual C++2015 Runtime. You can download it from Microsoft Visual C++ 2015 Redistributable Update 3 (latest when this article written). Choose your Windows platform that you used, 32 bit or 64 bit. Download and install it.
Extract xampp-portable-win32-7.1.1-0-VC14.7z, into your drive for example C:. It will create folder C:\xampp.
Before you use it, do this to avoid some problems:
  1. Edit file C:\xampp\mysql\bin\my.ini
    change key_buffer to key_buffer_size for example:
    ...
    key_buffer to key_buffer_size = 16M
    ...
  2. Create folder C:\xampp\mysql\lib\plugin
You may start or stop your apache 
  1. Using XAMPP Control "xampp-control.exe"
  2. Running on cmd "apache_start.bat" to start and "apache_stop.bat" to stop (I prefere this).
You may start or stop your mysql (MariaDB)
  1. Using XAMPP Control "xampp-control.exe"
  2. Running on cmd "mysql_start.bat" to start and "mysql_stop.bat" to stop (I prefere this).
Note:
  1. XAMPP folder required directly under drive for example C:\xampp, D:\xampp, etc, it may fail to start.
  2. Do not rename xampp folder, it may fail to start.
.

Tuesday, May 2, 2017

Centos 6: csf blocking whois

symptom:
# whois google.com
[Querying whois.verisign-grs.com]
[Unable to connect to remote host]
To solve this problem, edit /etc/csf/csf.conf, make sure outgoing to port 43 and 53 are allowed.
# vi /etc/csf/csf.conf
...
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,43,53,80,110,113,443,587,993,995"
...
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,43,53,113,123"
...
Restart your csf
# csf -r
Done!