I ran across the
firehol project which includes a tool for automatically updating ipset lists from various online services that provide lists of bad, compromised, or otherwise malicious IP addresses.
These notes are incomplete, but
- I still have internet access
- email still passes in and out
- I am seeing traffic that is getting blocked by the ipset lists
- I can verify that the block lists are being periodically updated
The install involves installing the entire 'firehol' firewall product, but I have been careful not to use it and it doesn't seem to have broken anything (yet).
Install Firehol update-ipsets and enable the default recommended block lists1. Install dependenciesOn my system, I needed to install 'autoconf' and 'automake' (I already had the other dependencies installed)
yum install autoconf automake
2. Download and install Firehol from git mkdir -p /root/firehol
cd /root/firehol
git clone https://github.com/firehol/iprange.git iprange.git
git clone https://github.com/firehol/firehol.git firehol.git
cd iprange.git
./autogen.sh
./configure --prefix=/usr CFLAGS="-march=native -O3" --disable-man
make
make install
cd ../firehol.git
./autogen.sh
./configure --prefix=/usr --sysconfdir=/etc --disable-man --disable-doc
# create a folder that 'update-ipsets' uses for various things...
mkdir -p /usr/var/run
3. Create ipset lists and enable the block lists recommended by Firehol# create and enable default ipsets
for x in fullbogons dshield spamhaus_drop spamhaus_edrop; do ipset create $x hash:net; done
for x in fullbogons spamhaus_drop spamhaus_edrop; do update-ipsets enable $x; done
#
for x in feodo palevo sslbl zeus openbl blocklist_de; do ipset create $x hash:ip; done
for x in feodo palevo sslbl zeus openbl blocklist_de; do update-ipsets enable $x; done
#
update-ipsets
# confirm update
ipset list
# (you should see lots of IP addresses and networks fly by...)
4. Create a custom template fragment that references the enabled ipset listsmkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
vi 41CreateIpsetDenyLog
Paste this content into the new template fragment
{
# deny/log fragment to match ipsets maintained by update-ipsets
#
# RETURN for traffic from the local network or from 127.0.0.0/12
# (otherwise this traffic gets blocked by the 'fullbogons' list...)
#
# add ULOG and DROP lines for each enabled ipset
#
$OUT .=" /sbin/iptables --new-chain ipset-denylog\n";
my @mylocals = @locals;
my $local= shift @mylocals;
$OUT .= " /sbin/iptables --append ipset-denylog -s $local --jump RETURN\n";
foreach my $network (@mylocals)
{
$OUT .= " /sbin/iptables --append ipset-denylog -s $local --jump RETURN\n";
}
}
/sbin/iptables --append ipset-denylog -s 127.0.0.0/12 --jump RETURN
/sbin/iptables --append ipset-denylog -m set --set blocklist_de src --jump ULOG --ulog-nlgroup 1 --ulog-prefix "ipset-blocklist_de"
/sbin/iptables --append ipset-denylog -m set --set blocklist_de src --jump DROP
/sbin/iptables --append ipset-denylog -m set --set dshield src --jump ULOG --ulog-nlgroup 1 --ulog-prefix "ipset-dshield"
/sbin/iptables --append ipset-denylog -m set --set dshield src --jump DROP
/sbin/iptables --append ipset-denylog -m set --set feodo src --jump ULOG --ulog-nlgroup 1 --ulog-prefix "ipset-feodo"
/sbin/iptables --append ipset-denylog -m set --set feodo src --jump DROP
/sbin/iptables --append ipset-denylog -m set --set fullbogons src --jump ULOG --ulog-nlgroup 1 --ulog-prefix "ipset-fullbogons"
/sbin/iptables --append ipset-denylog -m set --set fullbogons src --jump DROP
/sbin/iptables --append ipset-denylog -m set --set openbl src --jump ULOG --ulog-nlgroup 1 --ulog-prefix "ipset-openbl"
/sbin/iptables --append ipset-denylog -m set --set openbl src --jump DROP
/sbin/iptables --append ipset-denylog -m set --set palevo src --jump ULOG --ulog-nlgroup 1 --ulog-prefix "ipset-palevo"
/sbin/iptables --append ipset-denylog -m set --set palevo src --jump DROP
/sbin/iptables --append ipset-denylog -m set --set spamhaus_drop src --jump ULOG --ulog-nlgroup 1 --ulog-prefix "ipset-spamhaus_drop"
/sbin/iptables --append ipset-denylog -m set --set spamhaus_drop src --jump DROP
/sbin/iptables --append ipset-denylog -m set --set spamhaus_edrop src --jump ULOG --ulog-nlgroup 1 --ulog-prefix "ipset-spamhaus_edrop"
/sbin/iptables --append ipset-denylog -m set --set spamhaus_edrop src --jump DROP
/sbin/iptables --append ipset-denylog -m set --set sslbl src --jump ULOG --ulog-nlgroup 1 --ulog-prefix "ipset-sslbl"
/sbin/iptables --append ipset-denylog -m set --set sslbl src --jump DROP
/sbin/iptables --append ipset-denylog -m set --set zeus src --jump ULOG --ulog-nlgroup 1 --ulog-prefix "ipset-zeus"
/sbin/iptables --append ipset-denylog -m set --set zeus src --jump DROP
/sbin/iptables --append ipset-denylog -j RETURN
/sbin/iptables --insert INPUT 1 -j ipset-denylog
5. Activate the changes.masq must be restarted to activate these changes
expand-template /etc/rc.d/init.d/masq
/etc/rc.d/init.d/masq restart
6. Monitor activityBlocked traffic will appear in /var/log/iptables/current with a prefix of "ipset-xxx", where "xxx" is the list that caused the traffic to be blocked.
7. Create a cron job to update the blocklistsFirehol recommends updating at an interval of between 5 and 15 minutes, avoiding 5, 10 and 15. I chose 11 minutes
crontab -e
then add this line:
*/11 * * * * /usr/sbin/update-ipsets >/dev/null 2>&1
8. Verify that blocklists are being updatedThe blocklists are downloaded to, and processed in, /etc/firehol/ipsets
If crontab is working correctly, the files in that folder should have very recent times.
The firewall changes can be reverted using:
'rm' /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/41CreateIpsetDenyLog
expand-template /etc/rc.d/init.d/masq
/etc/rc.d/init.d/masq restart
A final note:
It's not 100% clear to me if this process updates the ipset lists on my server, of the part of 'update-ipsets' that does that is part of the 'firehol' product that I am not using.