Debian Jessie until I write this note, does not provide script to save and load ipset rules.
ipset
-----------------------------------------------------------------------------------------------
saving ipset rules:
# ipset save
or
# /sbin/ipset save
We follow wiki rules for filename https://wiki.debian.org/iptables (i.e. /etc/iptables.up.rules)
# ipset save > /etc/ipset.up.rules
To save ipset rules to other file
# ipset save > /root/iptablesrules/ipsetrules.save
To restore ipset rules
# ipset restore -! < /etc/ipset.up.rules
or
# /sbin/ipset restore -! < /etc/ipset.up.rules
iptables (my version v1.4.21)
-----------------------------------------------------------------------------------------------
saving iptables rules
# iptables-save
or
# /sbin/iptables-save
We follow wiki rules for filename https://wiki.debian.org/iptables (i.e. /etc/iptables.up.rules)
# iptables-save > /etc/iptables.up.rules
To save iptables rules to other file
# iptables-save > /root/iptablesrules/iptablesrules.save
Note: in iptables-persistent packages, rules are save in file:
- /etc/iptables/rules.v4
- /etc/iptables/rules.v6
But we do not use iptables-persistent
To restore iptables
# iptables-restore < /etc/iptables.up.rules
or
# /sbin/iptables-restore < /etc/iptables.up.rules
We have some choice to load ipset and iptables on boot:
- Manual init.d configuration
- Configuring via ifup
- put loader in file /etc/network/interface
- put script configuration in /etc/network/if-pre-up.d/
Option 1:
To use /etc/network/interface to load ipset and iptables
Edit /etc/network/interface
....
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
...
pre-up ipset restore -! < /etc/ipset.up.rules
pre-up iptables-restore < /etc/iptables.up.rules
...
Option 2:
To use script configuration in /etc/network/if-pre-up.d/ to load ipset and iptables
Create or edit /etc/network/if-pre-up.d/load.rules
#!/bin/sh
/sbin/ipset restore -! < /etc/ipset.up.rules
/sbin/iptables-restore < /etc/iptables.up.rules
chmod +x /etc/network/if-pre-up.d/load.rules
Note:
- Use only one option above.
- After adding ip address into ipset rules, don't forget to save it in file etc/ipset.up.rules.
- If
you use fail2ban, Do not put fail2ban rules in iptables.up.rules. It
will automatically configure it self. you need to remove fail2ban rules
in file /etc/iptables.up.rules.
Distributing ipset across server farm
This ipset rules can be distributed across your server.
Master
ipset can be generated from honeypot/server and distribute it via web.
Run this script after you add or edit ipset rules into your root web
directory
#!/bin/bash
## create by dedetok April 2016
## last update 2016-04-28
## GNU GPL v3
## Disclaimer: experimental, use it with your own risk
/sbin/ipset save > /etc/ipset.up.rules
# create temporary file to save new ipset rules without fail2ban rules
if [ -f "/root/bin/ipset.up.rules.new" ] ; then
rm "/root/bin/ipset.up.rules.new"
fi
touch /root/bin/ipset.up.rules.new
while read -r line; do
if [[ $line != *"fail2ban"* ]]
then
echo "$line" >> /root/bin/ipset.up.rules.new
fi
done < /etc/ipset.up.rules
# copy clean ipset into /etc/ipset.up.rules
cp /root/bin/ipset.up.rules.new /etc/ipset.up.rules
# save it into web or user public_html
#cp /root/bin/ipset.up.rules.new /home/[user]/public_html/ipset.up.rules
cp /root/bin/ipset.up.rules.new /var/www/public_html/ipset.up.rules
Do the following steps on your server farm:
- Write this bash script to download /root/unduhgarasiku.sh or download
#!/bin/bash
## create by dedetok April 2016
## last update 2017-05-02
## GNU GPL v3
## Disclaimer: experimental, use it with your own risk
echo "download from http://www.garasiku.web.id/ipset.up.rules into /etc/ipset.up.rules.new"
if wget -O /etc/ipset.up.rules.new http://www.garasiku.web.id/ipset.up.rules; then
chmod 444 /etc/ipset.up.rules.new
chown root:root /etc/ipset.up.rules.new
## Update ipset ignore error, we need fresh list
echo "updating new rules"
if /sbin/ipset restore -! < /etc/ipset.up.rules.new; then
echo "Saving new ipset rules into /etc/ipset.up.rules"
cp /etc/ipset.up.rules.new /etc/ipset.up.rules
chmod 544 /etc/ipset.up.rules
chown root:root /etc/ipset.up.rules
else
echo "Error, ipset.up.rules not in ipset format"
exit 1
fi
else
echo "Fail to download ipset.up.rules"
exit 1
fi
echo "End process"
Old version
#!/bin/bash
## create by dedetok April 2016
## last update 2016-04-15
## GNU GPL v3
## Disclaimer: experimental, use it with your own risk
echo "download from http://www.garasiku.web.id/ipset.up.rules into /etc/ipset.up.rules.new"
wget -O /etc/ipset.up.rules.new http://www.garasiku.web.id/ipset.up.rules
chmod 444 /etc/ipset.up.rules.new
chown root:root /etc/ipset.up.rules.new
## Compare ipset.up.rules vs ipset.uprules.new
echo "updating new rules"
diff --new-line-format="+ %L" --old-line-format="- $L" <(sort /etc/ipset.up.rules) <(sort /etc/ipset.up.rules.new) |
while IFS=' ' read -r r1 r2 r3 r4; do
if [ "$r2" = "add" ]; then
if [ "$r1" = "+" ]; then
cmdline="/sbin/ipset $r2 $r3 $r4"
echo "eval $cmdline"
eval "$cmdline"
fi
if [ "$r2" = "-" ]; then
cmdline="/sbin/ipset del $r3 $r4"
echo "eval $cmdline"
eval "$cmdline"
fi
fi
done
echo "Saving new ipset rules into /etc/ipset.up.rules"
/sbin/ipset save > /etc/ipset.up.rules
echo "End process"
- Put it into crontab to update ipset.up.rules everyday at 0 night:
# crontab -e
- Put this line (you can choose nano editor)
0 0 * * * /root/unduhgarasiku.sh
- Save it (you can use default file name)
File Name to Write: /tmp/crontab.9uLsb5/crontab
- iptabes rules for server farm
-A INPUT -m set --match-set mynetrules src -j DROP
-A INPUT -p tcp -m multiport --dports 25,465,587,993,995,465,143,110 -m set --match-set mynetrulessmtp src -j DROP
-A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set mynetruleshttp src -j DROP
-A INPUT -p tcp --dport 22 -m set --match-set mynetrulesssh src -j DROP
-A INPUT -p tcp -m multiport --dports 21,22 -m set --math-set mynetrulesftp src -j DROP
-A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j DROP
or if you want to limiting connection from class C up to 20 connection
-A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
-A
INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport
--dports 25,465,587,993,995,265,143,110 -m connlimit --connlimit-above 8
--connlimit-mask 32 --connlimit-saddr -j DROP
NOTE:
don't forget to add your ipset rules into iptables rules in every your
server farms and make it persistent. I suggest you create iptables rules
in every server, do not copy iptables other server. Every server may
have unique iptables rules.
Simple script to analyst authentication log files:
- Search fail in sshawk '(/authentication fail/ && /ssh/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
- search fail in smtpawk '(/authentication fail/ && /smtp/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
- search fail in ftpawk '(/authentication fail/ && /ftp/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
- search fail in dovecotawk '(/authentication fail/ && /dovecot/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
- search ssh preauthentication awk '(/Connection closed by/ && /sshd/) { print $(NF-1),$NF}' /var/log/auth.log | sort | uniq -c | sort -n
awk '(/preaut/ && /sshd/) { print $0}' /var/log/auth.log
- search fail in mailawk '(/authentication fail/) { print $7}' /var/log/mail.log | sort | uniq -c
Reference: