In Linux, how does one efficiently block malicious IP addresses?

In Linux, how does one efficiently block malicious IP addresses?

You may want to prevent someone from accessing your Linux system through an IP address in various circumstances. For example, as an end user, you may want to protect yourself from known spyware or tracker IP addresses. Or if you are running P2P software, you may want to filter out the connections from the networks that violate P2P activities. If you are a system administrator, you may want to disable the IP address for sending spam to access your production environment email server. Or you may want to block access to website servers from some countries for some reason. However, in many cases, your IP address blocking list may rapidly expand to thousands of IP addresses or IP address segments. So how do you deal with this situation?

Netfilter/IPtables Problems

In Linux, as long as the netfilter/iptables framework is used, IP addresses can be easily blocked:

$ sudo iptables -A INPUT -s 1.1.1.1 -p TCP -j DROP

If you want to disable an entire IP address segment, you can do the same:

$ sudo iptables -A INPUT -s 1.1.2.0/24 -p TCP -j DROP

However, if you have 1000 independent IP addresses that do not have a common CIDR (classless Inter-Domain Routing) prefix to prohibit access, what should you do? Set up 1000 iptables rules! Obviously, this method is not highly scalable.

$ sudo iptables -A INPUT -s 1.1.1.1 -p TCP -j DROP$ sudo iptables -A INPUT -s 2.2.2.2 -p TCP -j DROP$ sudo iptables -A INPUT -s 3.3.3.3 -p TCP -j DROP. . . .

What is an IP address set?

At this time, IP set can be used in a great way. An IP address set is a kernel function that allows multiple (independent) IP addresses, MAC addresses, or even multiple port numbers to be efficiently encoded and stored in the bitmap/HASH kernel data structure. Once an IP Set is created, you can create iptables rules that match the set.

You should immediately see the benefits of using an IP address set, that is, you only need to use an iptables rule to match multiple IP addresses in the IP address set! You can use multiple IP addresses and port numbers to build an IP set. You can also use an IP Set to dynamically update iptables rules without affecting the performance.

Install the IPset tool on Linux

To create and manage IP sets, you need to use a user space tool named ipset.

To install ipset On Debian, Ubuntu, or Linux Mint:

$ sudo apt-get install ipset

To install ipset on Fedora or CentOS/RHEL 7:

$ sudo yum install ipset

Use the IPset command to Disable IP addresses

Let me use a few simple examples to illustrate how to use the ipset command.

First, create a new IP address set named banthis ):

$ sudo ipset create banthis hash:net

The second variable (hash: net) in the preceding command is indispensable. It represents the type of the created set. There are multiple types of IP sets. Hash: the IP address set of the net type uses hash to store multiple CIDR blocks. If you want to store a single ip address in this set, you can use the hash: ip Address type instead.

Once you create an IP set, you can use this command to check the set:

$ sudo ipset list

This shows the list of available IP sets and details of each set, including the integrator. By default, each IP address set can contain a maximum of 65536 elements (CIDR Block ). You only need to add the "maxelem N" option to the end to increase the limit value.

$ sudo ipset create banthis hash:net maxelem 1000000

Now you can add the IP address segment to this set:

$ sudo ipset add banthis 1.1.1.1/32$ sudo ipset add banthis 1.1.2.0/24$ sudo ipset add banthis 1.1.3.0/24$ sudo ipset add banthis 1.1.4.10/24

You will find that the integrator has changed.

$ sudo ipset list

Now you can use this IP address set to create an iptables rule. The key here is to use "-m set -- match-set .

Create an iptables rule to prevent all IP address segments in the set from accessing the website server through port 80. This can be achieved through this command:

$ sudo iptables -I INPUT -m set --match-set banthis src -p tcp --destination-port 80 -j DROP

If you want to save a specific IP address set to a file, you can recover it from the file:

$ sudo ipset save banthis -f banthis.txt$ sudo ipset destroy banthis$ sudo ipset restore -f banthis.txt

In the above command, I tried to use the destroy option to delete an existing IP Set and see if I can restore the IP set.

Automatically Disable IP addresses

So far, you will see how powerful the IP Set Concept is. It may be time-consuming to maintain the latest IP blacklist. In fact, there are some free services or paid services that can maintain these IP blacklists for you. In addition, let's take a look at how we can automatically convert an available IP address blacklist to an IP address set.

For the time being, I will obtain a free IP list from iblocklist.com, which publishes various IP blocking lists for free or free. A free version in P2P format is provided.

I want to use an Open Source python tool named iblocklist2ipset, which can convert the P2P version of iblocklist into IP sets.

First, you need to install pip (to install pip, refer to this tutorial: http://ask.xmodulo.com/install-pip-linux.html ).

Install iblocklist2ipset as follows.

$ sudo pip install iblocklist2ipset

In some releases such as Fedora, you may need to run the following command:

$ sudo python-pip install iblocklist2ipset

Now go to iblocklist.com to obtain any P2P list URL (for example, "level1" list ).

Then paste the URL to the following command:

$ iblocklist2ipset generate \--ipset banthis "http://list.iblocklist.com/?list=ydxerpxkpcfqjaybcssw&fileformat=p2p&archiveformat=gz" \> banthis.txt

After you run the command, you create a file named bandthis.txt. If you check its content, you will see something similar to the following:

create banthis hash:net family inet hashsize 131072 maxelem 237302add banthis 1.2.4.0/24add banthis 1.2.8.0/24add banthis 1.9.75.8/32add banthis 1.9.96.105/32add banthis 1.9.102.251/32add banthis 1.9.189.65/32add banthis 1.16.0.0/14

You can use the ipset command to easily mount the file:

$ sudo ipset restore -f banthis.txt

Now, run the following command to check the automatically created IP address set:

$ sudo ipset list banthis

As of this article, "level1" blocks the list from containing more than 237000 IP address segments. You will find that many IP address segments have been added to the IP address set.

Finally, you only need to create an iptables rule to block all these addresses!

Conclusion

In this tutorial, I demonstrate how to use ipset, a powerful tool to block undesirable IP addresses. Combined with third-party tools such as iblocklist2ipset, you can easily simplify the maintenance of the IP address blocking list. Some may want to know the specific effect of ipset in improving the speed. It shows the Benchmark Test Results of iptables without ipset or ipset (thanks to the images provided by daemonkeeper.net ).

I hope this article will help you!

Address: http://xmodulo.com/block-unwanted-ip-addresses-linux.html