Navigation

giganet · #1 18th March 2009, 18:05

Hello HTF Group...

Today I finally got around to working with the HowTo: http://howtoforge.com/blocking-ip-ad...-with-iptables

My first question pertains to after the blocklist script runs.
The first thing the script does after using 'wget' to download the current Country IP Blocks is to run 'iptables -F' which purges IPTables of any current rules.

The issue I have is I also utilize the following IPTables rules to try and provide some security to SSH access and then additional rules to also close unused ports.

SSH Protection

Code:

iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 54000 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force"
iptables -A INPUT -p tcp --dport 54000 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
 
THE WHITELIST
iptables -A SSH_WHITELIST -s 65.197.209.0/25 -m recent --remove --name SSH -j ACCEPT
 
BLOCKING RULES
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROPBLOCKING RULES

CLOSE UNUSED PORTS

Code:

iptables -A INPUT -p tcp --dport 444:53999 -j DROP
iptables -A INPUT -p tcp --dport 54001:60000 -j DROP

After the script is finished running I have to re-enter the SSH protection and close unused ports rules manually.

Can I add these lines at the base of the script as such to automate this as follows?
BLOCKLIST BASH SCRIPT

Code:

GAMA.ORG###
###PUT HERE COMA SEPARATED LIST OF COUNTRY CODE###
COUNTRIES="A1,A2,AD,AE,AF,AG,AI,AL,AM,AN,AO,AP,AQ,AR,AS,AT,AU,AW,AX,AZ,BA,BB,BD,BE,BF,BG,BH,BI,BJ,BM,BN,BO,BR,BS,BT,BV,,BW,BY,BZ,CA,CC,CD,CF,CG,CH,CI,CK,CL,CM,CN,CO,CR,CU,CV,CX,CY,CZ,DE,DJ,DK,DM,DO,DZ,EC,EE,EG,EH,ER,ES,ET,EU,FI,FJ,FK,FM,FO,FR,GA,GB,GD,GE,GF,GG,GH,GI,GL,GM,GN,GP,GQ,GR,GS,GT,GU,GW,GY,HK,HM,HN,HR,HT,HU,ID,IE,IL,IM,IN,IO,IQ,IR,IS,IT,JE,JM,JO,JP,KE,KG,KH,KI,KM,KN,KP,KR,KW,KY,KZ,LA,LB,LC,LI,LK,LB,LC,LI,LK,LR,LS,LT,LU,LV,LY,MA,MC,MD,ME,MG,MH,MK,ML,MM,MO,MP,MQ,MR,MS,MT,MU,MV,MW,MX,MY,MZ,NA,NC,NE,NF,NF,NI,NL,NO,NP,NR,NU,NZ,OM,PA,PE,PF,PG,PH,PK,PL,PM,PN,PR,PS,PT,PW,PY,QA,RE,RO,RS,RU,RW,SA,SB,SC,SD,SE,SG,SH,SI,SJ,SK,SL,SM,SN,SO,SR,ST,SV,SY,SZ,TC,TD,TF,TG,TH,TJ,TK,TL,TM,TN,TO,TR,TT,TV,TW,TZ,UA,UG,UM,UY,UZ,VA,VC,VE,VG,VI,VN,VU,WF,WS,YE,YT,ZA,ZM,ZW"
WORKDIR="/root"
#######################################
cd $WORKDIR
wget -c --output-document=iptables-blocklist.txt http://blogama.org/country_query.php?country=$COUNTRIES
if [ -f iptables-blocklist.txt ]; then
  iptables -F
  BLOCKDB="iptables-blocklist.txt"
  IPS=$(grep -Ev "^#" $BLOCKDB)
  for i in $IPS
  do
    iptables -A INPUT -s $i -j DROP
    iptables -A OUTPUT -d $i -j DROP
  done
fi
rm $WORKDIR/iptables-blocklist.txt
do
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 54000 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force"
iptables -A INPUT -p tcp --dport 54000 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
iptables -A SSH_WHITELIST -s 65.197.209.0/25 -m recent --remove --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 54000 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 444:53999 -j DROP
iptables -A INPUT -p tcp --dport 54001:60000 -j DROP
done

Would this be correct and acceptible?

One last thing I have issue with after the script runs- all services seems to function on the server afterwards however from the CLI I am unable to ping the world.
The server returns:

Code:

root@giganetwireless:/home/bender# ping yahoo.com
ping: unknown host yahoo.com

I do notice though now that after sending E-Mails from the server I receive: Delayed Mail (still being retried)
I am however able to receive in-bound E-Mail to this server...

The results of 'hostname -f && hostname' are following:

Code:

 
root@giganetwireless:/home/bender#  hostname -f localhost.localdomain
 
root@giganetwireless:/home/bender# hostname giganetwireless.net

netstat -tap Lines Of Interest

Code:

tcp6       0      0 [UNKNOWN]:953           *:*                     LISTEN     6261/named
tcp6       0      0 *:smtp                  *:*                     LISTEN     6211/master
getnameinfo failed
getnameinfo failed
tcp6       0      0 [UNKNOWN]:pop3          [UNKNOWN]:54015         TIME_WAIT  -

tail -f /var/log/mail.log Output

Code:

Mar 15 21:18:47 giganetwireless postfix/smtp[25481]: 4B7EB1C882BA: to=<web_admin@giganetwireless.com>, relay=none, delay=1122, delays=1122/0.01/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=giganetwireless.com type=MX: Host not found, try again)
Mar 15 21:18:47 giganetwireless postfix/smtp[25482]: DCA081C882B7: to=<web_admin@giganetwireless.com>, relay=none, delay=4721, delays=4721/0.01/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=giganetwireless.com type=MX: Host not found, try again)
Mar 15 21:18:47 giganetwireless postfix/smtp[25484]: 76CBB1C882AD: to=<web_admin@giganetwireless.com>, relay=none, delay=8322, delays=8322/0.02/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=giganetwireless.com type=MX: Host not found, try again)

Thanking you in advance for your time and help.

Best Regards

falko · #2 19th March 2009, 17:00

Quote:

Originally Posted by giganet

Would this be correct and acceptible?

I think this should work.

Regarding the connection problem: I guess this is related to your firewall problem. Please modify the script and try again.

giganet · #3 19th March 2009, 17:29

Hi Falko, thank you for the reply...

I did find that the DNS numbers used in 'resolv.conf' were in the same network as some of the blocked country numbers, after changing the DNS numbers I can ping the world now.

The issue I am trying to resolve with this presently is that when I attempt to run 'apt-get update' apt snags on the following:

Code:

0% [Connecting to us.archive.ubuntu.com (91.189.88.45)] [Connecting to security.ubuntu.com (91.189.88.37)]

The above IP originates from the U.K., Canonical

Presently in 'apt' my 'sources.list' is as follows:

Code:

# deb http://us.archive.ubuntu.com/ubuntu/ gutsy main restricted
# deb http://us.archive.ubuntu.com/ubuntu/ gutsy-updates main restricted
# deb http://us.archive.ubuntu.com/ubuntu gutsy-security main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://us.archive.ubuntu.com/ubuntu/ gutsy main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://us.archive.ubuntu.com/ubuntu/ gutsy-updates main restricted
deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://us.archive.ubuntu.com/ubuntu/ gutsy universe
deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy universe
deb http://us.archive.ubuntu.com/ubuntu/ gutsy-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://us.archive.ubuntu.com/ubuntu/ gutsy multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy multiverse
deb http://us.archive.ubuntu.com/ubuntu/ gutsy-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy-updates multiverse
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://us.archive.ubuntu.com/ubuntu/ gutsy-backports main restricted universe multiverse
# deb-src http://us.archive.ubuntu.com/ubuntu/ gutsy-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository. This software is not part of Ubuntu, but is
## offered by Canonical and the respective vendors as a service to Ubuntu
## users.
# deb http://archive.canonical.com/ubuntu gutsy partner
# deb-src http://archive.canonical.com/ubuntu gutsy partner
deb http://security.ubuntu.com/ubuntu gutsy-security main restricted
deb-src http://security.ubuntu.com/ubuntu gutsy-security main restricted
deb http://security.ubuntu.com/ubuntu gutsy-security universe
deb-src http://security.ubuntu.com/ubuntu gutsy-security universe
deb http://security.ubuntu.com/ubuntu gutsy-security multiverse
deb-src http://security.ubuntu.com/ubuntu gutsy-security multiverse

What would the U.S. sources URL be for the security?

BTW: the OS is UBUNTU 7.10

Thank you

Best Regards

giganet · #4 20th March 2009, 05:41

ISSUE SOLVED

I had to open a few ports which I had closed down and also set new DNS numbers in resolv.conf and VIOLA!

Thank you Falko

Best Regards

adam0x54 · #5 25th March 2009, 16:50

A suggestion here...

instead of blacklisting ports why dont you whitelist ports and make a default drop policy?

-Adam

giganet · #6 25th March 2009, 22:14

Hi Adam...

Thank you for the reply.

Excuse my ignorance, but in short detail what measures would I take to implement a port whitelist including DROP policy?

Once again, thank you for sharing your knowlege too!

Best Regards

adam0x54 · #7 25th March 2009, 23:39

The default policy should drop everything except what is allowed in the iptables
ex. ssh, http,https and dns. Everything else should be dropped. Do a netstat and see what ports you are using.

Default drop policy:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Here is a great place to start:

http://www.redhat.com/docs/en-US/Red...-iptables.html

glennbb · #8 27th October 2009, 02:23

Quote:

Originally Posted by giganet

ISSUE SOLVED

I had to open a few ports which I had closed down and also set new DNS numbers in resolv.conf and VIOLA!

I'm having the same issue on one of my machines here. Would you mind elaborating on what ports you had to open to get this to work? (I already have 80 open)

Thanks

Glenn