How to Mass Block Malicious IP Addresses in Linux

Others 2022-04-22 18:30:57 views: 0

In many cases, you may need to mask IP addresses under Linux. For example, as an end user, you may want to be safe from spyware or IP tracking. Or when you are running P2P software. You may want to filter web links for anti-P2P activity. If you are a system administrator, you may want to block spam IP addresses from accessing your corporate mail server. Or you want to block certain countries from accessing your web service for some reason. In many cases, however, your block list of IP addresses can quickly grow to tens of thousands of IPs. How to deal with this?

Problems with Netfilter/IPtables

In Linux, it is easy to ban IP addresses with the netfilter/iptables framework:

  1. $ sudo iptables -A INPUT -s 1.1.1.1-p TCP -j DROP

If you want to completely block a range of IP addresses, you can do it very simply with the following command:

  1. $ sudo iptables -A INPUT -s 1.1.2.0/24-p TCP -j DROP

However, what do you do when you have 1000 unique IP addresses without CIDR (Classless Inter-Domain Routing) prefixes? You have to have 1000 iptable rules! This is obviously not suitable for large-scale shielding.

  1. $ sudo iptables -A INPUT -s 1.1.1.1-p TCP -j DROP
  2. $ sudo iptables -A INPUT -s 2.2.2.2-p TCP -j DROP
  3. $ sudo iptables -A INPUT -s 3.3.3.3-p TCP -j DROP
  4. ....

What is an IP set?

This is where the IP set comes into play. An IP set is a kernel feature that allows multiple (independent) IP addresses, MAC addresses or even port numbers to be encoded and efficiently stored in a bitmap/hash kernel data structure. Once the IP set is created, you can create an iptables rule to match the set.

You will soon see the benefits of IP aggregation, which allows you to match multiple IP addresses with one iptable rule! You can construct IP sets with multiple IP addresses and port numbers, and rules can be updated dynamically without performance impact.

Install IPset Tool in Linux

In order to create and manage IP sets, you need to use a userspace tool called ipset.

To install on Debian, Ubuntu or Linux Mint:

  1. $ sudoapt-get install ipset

To install on Fedora or CentOS/RHEL 7:

  1. $ sudoyum install ipset

Ban IP using IPset command

Let me show you how to use the ipset command with a simple example.

First, let's create a new IP set called banthis (any name):

  1. $ sudo ipset create banthis hash:net

The second parameter (hash:net) is required and represents the type of the collection. There are several types of IP sets . IP sets of type hash:net use hashes to store multiple CIDR blocks. If you want to store individual IP addresses in a collection, you can use the hash:ip type.

Once an IP set is created, you can check it with the following command:

  1. $ sudo ipset list

This displays a list of available IP collections with details of collection members. By default, each IP set can contain 65536 elements (in this case CIDR blocks). You can increase the limit by appending the "maxelem N" option.

  1. $ sudo ipset create banthis hash:net maxelem 1000000

Now let's add IP blocks to this set:

  1. $ sudo ipset add banthis 1.1.1.1/32
  2. $ sudo ipset add banthis 1.1.2.0/24
  3. $ sudo ipset add banthis 1.1.3.0/24
  4. $ sudo ipset add banthis 1.1.4.10/24

You will see that the collection members have changed.

  1. $ sudo ipset list

Now it's time to create an iptables rule that uses the IP set. The key here is to use the "-m set --match-set" option.

Now let's create an iptable rule that prevents the previous IP blocks from accessing the web service through port 80. This can be done with the following command:

  1. $ sudo iptables -I INPUT -m set--match-set banthis src -p tcp --destination-port 80-j DROP

If you want, you can save a specific set of IPs to a file from which you can restore it later:

  1. $ sudo ipset save banthis -f banthis.txt
  2. $ sudo ipset destroy banthis
  3. $ sudo ipset restore -f banthis.txt

In the command above, I used the destroy option to delete an existing IP set to see if I could restore it.

Automatic IP address disabled

Now you should see the power of the IP collection. Maintaining IP blacklists is a tedious and time-consuming task. In fact, there are many free or paid services that can help you with this. As an added bonus, let's see how to automatically add IP blacklists to the IP set.

First let's get the free blacklist from iblocklist.com , this site has different free and paid lists. The free version is in P2P format.

Next I'm going to use an open source Python tool called iblocklist2ipset to convert the blacklist in P2P format into an IP set.

First, you need to have pip installed (refer to this guide to install pip).

Install iblocklist2ipset using the following command.

  1. $ sudo pip install iblocklist2ipset

On some distributions like Fedora, you may need to run:

  1. $ sudo python-pip install iblocklist2ipset

Now go to iblocklist.com and grab the URL of any P2P list (such as the "level1" list).

Paste the URL into the command below.

  1. $ iblocklist2ipset generate \
  2. --ipset banthis "http://list.iblocklist.com/?list=ydxerpxkpcfqjaybcssw&fileformat=p2p&archiveformat=gz" \
  3. > banthis.txt

After the above command runs, you will get a file called banthis.txt. If you look at its contents, you'll see something like this:

  1. create banthis hash:net family inet hashsize 131072 maxelem 237302
  2. add banthis 1.2.4.0/24
  3. add banthis 1.2.8.0/24
  4. add banthis 1.9.75.8/32
  5. add banthis 1.9.96.105/32
  6. add banthis 1.9.102.251/32
  7. add banthis 1.9.189.65/32
  8. add banthis 1.16.0.0/14

You can load this file with the following ipset command:

  1. $ sudo ipset restore -f banthis.txt

The automatically created IP set can now be viewed:

  1. $ sudo ipset list banthis

At the time of this writing, the "level1" class table contains a list of 237,000 blocked IPs. You can see that many IP addresses have been added to the IP set.

Finally, create an iptables command to block these bad guys!

Summarize

In this article, I describe how you can block unwanted IP addresses with a powerful ipset. At the same time, it is combined with the third-party tool iblocklist2ipset, so that you can maintain your IP block list smoothly. For those curious about the performance gains of ipset, the graph below shows the benchmark results of iptables with and without ipset (note the time axis).

Tell me how you like this. :-)

via: http://xmodulo.com/block-unwanted-ip-addresses-linux.html

Author: Dan Nanni  Translator: geekpi  Proofreading: wxy

 This article was originally translated by  LCTT , and was launched by Linux China  with honor

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325214060&siteId=291194637
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com