wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,168
- Reaction score
- 5,199
The sophistication of the attackers is improving so it seems prudent to rethink our security which currently includes (1) a hardware-based firewall, (2) IPtables, and (3) fail2ban. What we think will help improve the overall security of our systems is fourth layer: a blacklist of known attack sites. So the plan is to build up a list of these IP addresses that can be programmatically downloaded and automatically loaded into IPtables regularly. As you discover new attackers, please post the IP addresses here, and we'll add them until we get an automatic way for everyone to do it.
While this is still a work in progress, we wanted to circulate a prototype for comments and suggestions. Currently, there are 3 apps:
To protect your server, issue the following command periodically:
The first time it runs, there will be a couple of errors since you don't have the blacklist or MD5 of the blacklist on your server. Ignore them. It will grab the latest blacklist and load it into IPtables.
When you run it thereafter, it will check whether you have the latest blacklist. If you do, it will merely refresh IPtables with the blacklist you already have. If you don't have the latest blacklist, it will download it and then refresh IPtables.
If you ever reboot your system or restart IPtables, be sure to run firewall-check.php again since the blacklist is not (yet) automatically loaded!
Ultimately, you'll want to add this script as a cron job on your system so that it goes out every few hours and checks for updates. But don't do it yet... until we get the kinks out.
While this is still a work in progress, we wanted to circulate a prototype for comments and suggestions. Currently, there are 3 apps:
- a PHP script which checks whether you have the current version of the blacklist
- a BASH script which downloads the latest BlackList and then loads the entries in the blacklist into IPtables.
- a BASH script which refreshes IPtables with your current copy of the blacklist
To protect your server, issue the following command periodically:
/root/firewall-check.php
The first time it runs, there will be a couple of errors since you don't have the blacklist or MD5 of the blacklist on your server. Ignore them. It will grab the latest blacklist and load it into IPtables.
When you run it thereafter, it will check whether you have the latest blacklist. If you do, it will merely refresh IPtables with the blacklist you already have. If you don't have the latest blacklist, it will download it and then refresh IPtables.
If you ever reboot your system or restart IPtables, be sure to run firewall-check.php again since the blacklist is not (yet) automatically loaded!
Ultimately, you'll want to add this script as a cron job on your system so that it goes out every few hours and checks for updates. But don't do it yet... until we get the kinks out.