PIONEERS New SIP Firewall Design for Publicly-Accessible PBX

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
One of the serious drawbacks of the Travelin' Man 3 Firewall is that it forces you to maintain a whitelist for all of your users. It also makes it impossible to authorize anonymous SIP access for anybody or any extension. We've been playing around with an alternate approach after reading this blog post from Dr. Lin Song. There's an accompanying GitHub repo here. We've taken it a bit further by randomizing the SSH port and modifying sip-external-custom.

UPDATE: New post on Nerd Vittles supersedes the info below...

SIP Happens! Deploying a Publicly-Accessible Asterisk PBX

The way it works for SIP access goes like this. Anonymous SIP URI connections are allowed but only using the fully-qualified domain name (FQDN) of your server which must be inserted in line 10. Security through obscurity helps! SIP URI connections to the IP address of your server get disconnected immediately. In the modified sip-external-custom file, there is a whitelist of extensions that can be contacted anonymously below line 14. These could be actual extensions, e.g. a support desk. Or it could be an IVR, an Asterisk app, or whatever else you wish to expose for public access.

We couldn't get Lin Song's IPtables code blocking access by IP address to work so we've handled that in the sip_external-custom context below and in sip_custom.conf. We plan to write this up on Nerd Vittles next week, but I thought I'd throw it open for comment in case somebody catches the IPtables problem with the IP address blocking piece.

We've also retained a slightly modified iptables-custom whitelist so that individual IP addresses can be whitelisted to facilitate HTTP access and access from trunk providers such as Skyetel that don't support SIP trunk registration.

Here's what our modified sip-external-custom context looks like in extensions_override_freepbx.conf:
Code:
[from-sip-external]
exten => _.,1,NoOp(Domain: ${SIPDOMAIN})
exten => _.,2,NoOp(Channel: ${CHANNEL})
exten => _.,3,Set(TESTAT=${CUT(SIP_HEADER(From),@,2)})
exten => _.,4,NoOp(TESTAT: ${TESTAT})
exten => _.,5,GotoIf($["${TESTAT}" != ""]?hasat)
exten => _.,6,Set(FROM_IP=${CUT(CUT(SIP_HEADER(From),>,1),:,2)})
exten => _.,7,Goto(gotip)
exten => _.,8(hasat),Set(FROM_IP=${CUT(CUT(CUT(SIP_HEADER(From),@,2),>,1),:,1)})
exten => _.,9(gotip),NoOp(Gateway IP is ${FROM_IP})
exten => _.,10,GotoIf($["${SIPDOMAIN}"!="PBX-FQDN-GOES-HERE"]?baddomain)
exten => _.,11,NoOp(Received incoming SIP connection from unknown peer to ${EXTEN})
exten => _.,12,Goto(${EXTEN},13)
exten => _.,13,Goto(s,1)
exten => _.,14(baddomain),Set(VIA2=${CUT(SIP_HEADER(Via),=,-1)})
exten => _.,15,Set(VIA3=${CUT(VIA2,\;,-1)})
exten => _.,16,Set(VIA4=${CUT(VIA3,\ ,2)})
exten => _.,17,Set(VIA5=${CUT(VIA4,\:,-1)})
exten => _.,18,GotoIf($["${VIA5}"="0.0.0.0"]?alldone)
exten => _.,19,NoOp(VIA: ${CUT(SIP_HEADER(Via),=,-1)})
exten => _.,20(alldone),Hangup


; WhiteListed extensions must all be XXXX,13,dialstring
exten => 3366,13,Dial(local/3366@from-internal)

exten => s,1,GotoIf($["${SIPLANG}"!=""]?setlanguage:checkanon)
exten => s,n(setlanguage),Set(CHANNEL(language)=${SIPLANG})
exten => s,n(checkanon),GotoIf($["${ALLOW_SIP_ANON}"!="yes"]?noanonymous)
exten => s,n,Goto(from-trunk,${DID},1)
exten => s,n(noanonymous),Set(TIMEOUT(absolute)=15)
exten => s,n,Log(WARNING,"Rejecting unknown SIP connection from ${CHANNEL(recvip)}")
exten => s,n,Answer
exten => s,n,Wait(2)
exten => s,n,Zapateller()
exten => s,n,Playback(ss-noservice)
exten => s,n,Congestion(3)
exten => s,n,Hangup
exten => h,1,Hangup
exten => i,1,Hangup
exten => t,1,Hangup
;-------------------------------------------------------------------------------


As @ou812 notes below, issuing the following commands will block all SIP registrations except those directed to your server's FQDN. This includes attempts to register to the IP address of your server.
Code:
echo "domain=servers-FQDN" >> /etc/asterisk/sip_custom.conf
amportal restart

Our PBX is publicly exposed at 107.173.67.56 and the bad guys have already found it. We'll keep you posted on their progress and ours. :cool:

Assuming you whitelisted the 3366 extension, calls to 3366@your-FQDN would go through, calls to 3366@server-ip-address would fail with baddomain, and calls to 701@your-FQDN would fail using the s extension code. As the code stands now, sip registration attempts to either the FQDN or IP address would be managed by your Fail2Ban rules which is why I'd like to get the iptables code working to at least block the IP address attempts.


More to come...
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Download /etc/sysconfig/iptables here. Replace 1999 with your actual S-S-H port and insert your PBX FQDNs in the two YOUR_HOSTNAME.no-ip.com lines provided.

/usr/local/sbin/iptables-custom looks like this and should include your whitelisted IP addresses for your personal access:
Code:
#!/bin/bash

# just in case the platform is different
ln -s /sbin/iptables /usr/sbin/iptables

# Private LAN WhiteList goes here (WARNING: 172 subnet leaves security hole with Amazon EC2)
# None of these should be necessary with cloud-based servers so comment them out just to be safe
# Only exception would be for NeoRouter which requires 10. subnet
/usr/sbin/iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT

# Here's the Incredible PBX list of SIP Trusted Providers
/usr/sbin/iptables -A INPUT -s 199.101.184.146/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 174.34.146.162/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 173.208.83.50/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 74.54.54.178/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 209.62.1.2/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 67.215.241.250/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 74.63.41.218/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 69.147.236.82/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 68.233.226.97/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 67.205.74.184/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 67.205.74.187/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 174.137.63.206/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 174.137.63.202/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 5.77.36.136/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 204.11.192.32/30 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 204.155.28.10/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 64.136.174.24/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 64.136.174.24/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 64.34.181.47/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 69.90.174.98/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 85.17.186.7/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 81.23.228.129/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 67.228.182.2/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 64.251.23.244/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 85.17.148.32/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 63.211.239.14/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 63.247.78.218/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 8.3.252.23/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 8.14.120.23/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 8.17.37.23/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 66.54.140.46/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 66.54.140.47/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 64.62.236.143/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 24.211.64.206/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 199.30.56.194/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 209.216.15.70/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 209.216.2.211/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 184.154.97.11/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 81.23.228.150/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 81.23.228.150/32 -p tcp -m tcp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 65.254.44.194/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 74.81.71.18/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 50.22.101.14/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 67.212.84.21/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 176.9.39.206/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 72.9.149.25/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 50.22.102.242/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 98.254.157.185/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 178.63.143.236/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 98.254.157.185/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 64.2.142.26/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
# Simonics SIP-GV Gateway addresses are next
/usr/sbin/iptables -A INPUT -s 198.199.84.66   -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 104.236.102.59  -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 159.203.110.178 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 45.55.163.124   -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 162.243.107.101 -p udp -m udp --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -s 162.243.210.200 -p udp -m udp --dport 5060:5069 -j ACCEPT
# new additions
# IPC-Texas-DID
/usr/sbin/iptables -A INPUT -p udp -m udp -s 216.66.23.179 --dport 5060:5069 -j ACCEPT
# Skyetel-EU
/usr/sbin/iptables -A INPUT -s 35.156.192.164 -j ACCEPT
# Skyetel-SE
/usr/sbin/iptables -A INPUT -s 50.17.48.216 -j ACCEPT
# Skyetel-NE
/usr/sbin/iptables -A INPUT -s 52.60.138.31 -j ACCEPT
# Skyetel-SW
/usr/sbin/iptables -A INPUT -s 52.8.201.128 -j ACCEPT
# Skyetel-NW
/usr/sbin/iptables -A INPUT -s 52.41.52.34 -j ACCEPT
# v1voip5
/usr/sbin/iptables -A INPUT -p udp -m udp -s sip1.v1voip.com --dport 5060:5069 -j ACCEPT
# v1voip4
/usr/sbin/iptables -A INPUT -p udp -m udp -s sip2.v1voip.com --dport 5060:5069 -j ACCEPT
# v1voip3
/usr/sbin/iptables -A INPUT -p udp -m udp -s sip.v1voip.com --dport 5060:5069 -j ACCEPT
# v1voip2
/usr/sbin/iptables -A INPUT -p udp -m udp -s 173.246.36.196 --dport 5060:5069 -j ACCEPT
# v1voip1
/usr/sbin/iptables -A INPUT -p udp -m udp -s 207.239.159.171 --dport 5060:5069 -j ACCEPT
# End of Trusted Provider Section

# sample custom rule for full server access looks like this
/usr/sbin/iptables -A INPUT -s yourFQDN.DYNDNS.ORG -j ACCEPT
/usr/sbin/iptables -A INPUT -s another-FQDN -j ACCEPT
# whitelist IP address additions go below here
/usr/sbin/iptables -A INPUT -s 12.34.56.78 -j ACCEPT

# custom rules go below here


# do not edit below here. Facebook Messenger WhiteList gets generated next...
# be sure to issue iptables-restart nightly in /etc/crontab like this:
# 15 0 * * * root /usr/local/sbin/iptables-restart >/dev/null 2>&1

#whois -h whois.radb.net -- '-i origin AS32934' | grep ^route: | sed "s|route:     |/usr/sbin/iptables -A INPUT -s |" | sed "s|$| -p tcp -m tcp --dport 443 -j ACCEPT|" > /usr/local/sbin/iptables-facebook
#chmod +x /usr/local/sbin/iptables-facebook
#/usr/local/sbin/iptables-facebook

# be sure you keep the following rule

/usr/sbin/iptables -A INPUT -j DROP
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
/usr/local/sbin/iptables-restart looks like this:
Code:
#!/bin/bash
service iptables restart
service ip6tables restart
/etc/init.d/fail2ban restart
/usr/local/sbin/iptables-custom
/usr/sbin/fwconsole chown
 
Last edited:

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
Ward, the problem with this as I see it is that you can get peppered with everybody and their brother and you could be susceptible to a DOS attack. The beauty of the Whitelist methodology was that people never really saw anything there and they'd move on to greener pastures. The use of FQDN is great, and if you know what user agent is being used, you can use that too as a key to entry.


-A PROVISION -p udp -m string --dport 5060 -j UAGENT --string "REGISTER sip.fqdn.com" --algo bm
-A PROVISION -p udp -m string --dport 5060 -j ACCEPT --string "User-Agent: Bria" --algo bm

We've decided to open a specific port for authentication only - and you must hit it with FQDN or you get kicked out.
Secondly, we check your MAC (yes, can be faked, but after already hitting other keys, the odds of this are close to nill)
Then we do provisioning, and add the IP of that device to IPtables (and if they change their IP - we update accordingly).

Since we've gone to this method, we've had close to zero attempts as they can't even find our servers to begin with.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Agreed. This would mostly be for those that need a public-facing server with limited functionality. DOS attack is handled in the firewall code. But trust me. We're not giving up on Travelin' Man 3.
 

ou812

Guru
Joined
Oct 18, 2007
Messages
479
Reaction score
79
If you add 1 line of code to sip.conf or were ever suites your needs, no users can register using IP address they must use domain name, this line can be repeated for more names.

domain=yourdomain.com
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
If you add 1 line of code to sip.conf or were ever suites your needs, no users can register using IP address they must use domain name, this line can be repeated for more names.

domain=yourdomain.com
You can add it in FPBX Sip Settings as well, accomplishes the same thing.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Or add directly to sip_custom.conf and restart Asterisk.

With this addition, all attacks using the PBX IP address (including INVITE and REGISTER requests) will be blocked. Works like a champ. Now all you need is an obscure FQDN. :cool:

UPDATE: There's another hidden advantage to the @tbrummell addition that we've discovered. You can separate SIP registrations and SIP invites into separate domains. This means you could expose your PBX for SIP URI anonymous access without letting all the folks that knew that domain name also attempt to register to extensions to make calls on your nickel. For example, try this SIP URI: [email protected].
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Following release of our article, we've tried a new provider, SnowVPS, with good pricing on both OpenVZ ($12/yr) and KVM ($15/yr) offerings. We wanted to see if a KVM platform made much difference, and it doesn't appear to offer much of an improvement. What was an improvement was the number of random attacks on the server. With HostedSimply, it's all day, every day. With SnowVPS, in 3 days of testing, we haven't had a single anonymous visitor.

What KVM would also provide is support for ipset which would let you block entire countries of bad guys. That won't catch everybody, but it would make a huge dent.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
2/6/2019 UPDATE: We've had both an OpenVZ and KVM platforms running for about a week. The OpenVZ platform literally gets hammered with hack attempts all day every day. We installed the IPset mods below on the KVM platform adding @dicko mods from below. Now we get 1 or 2 hack attempts a day which Fail2Ban catches.

First, add the following code to /etc/sysconfig/iptables in the IPSPF section of the code. Country code list is here.
Code:
# Drop desired IPSET countries to match script below
-A IPSPF -m set --match-set cn src -j DROP
-A IPSPF -m set --match-set ru src -j DROP
-A IPSPF -m set --match-set ps src -j DROP
-A IPSPF -m set --match-set kp src -j DROP
-A IPSPF -m set --match-set ua src -j DROP
-A IPSPF -m set --match-set md src -j DROP
-A IPSPF -m set --match-set nl src -j DROP
-A IPSPF -m set --match-set fr src -j DROP

Second, build a blockem.sh script in /etc, make it executable, and run it whenever you reboot your server or perhaps once a week. It automatically restarts IPtables and Fail2Ban to pick up any changes in blocked countries list.
Code:
#!/bin/bash

cd /etc
wget -qO - http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz| tar zxvf -
for i in \
cn ru ps kp ua md nl fr
do
/usr/sbin/ipset create -exist $i hash:net
for j in $(cat $i.zone); do /usr/sbin/ipset add -exist $i $j; done
done
wait
sleep 5
service iptables restart
wait
service fail2ban restart
exit 0
 
Last edited:

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
I can't imagine living without ipset. We use it extensively outside of geoblocking.

I assume ipdeny.com is reliable now. We had been using them, but several years ago they were effectively down for months. Switched to the geolite databases and never looked back.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
UPDATE: We've had both an OpenVZ and KVM platforms running for about a week. The OpenVZ platform literally gets hammered with hack attempts all day every day. We installed the IPset mods below on the KVM platform, and that platform only gets 1 or 2 hack attempts a day which Fail2Ban catches.

First, add the following code to /etc/sysconfig/iptables in the IPSPF section of the code:
Code:
# Drop IPSET countries
-A IPSPF -p tcp -m set --match-set china src -j DROP
-A IPSPF -p tcp -m set --match-set russia src -j DROP
-A IPSPF -p tcp -m set --match-set palestine src -j DROP
-A IPSPF -p tcp -m set --match-set nkorea src -j DROP
-A IPSPF -p tcp -m set --match-set ukraine src -j DROP
-A IPSPF -p tcp -m set --match-set moldavia src -j DROP
-A IPSPF -p tcp -m set --match-set netherlands src -j DROP

Second, build a blockem.sh script in /etc, make it executable, and run it whenever you reboot your server or perhaps once a week. It automatically stops and restarts IPtables and Fail2Ban.
Code:
#!/bin/bash

cd /etc
service iptables stop
/usr/sbin/ipset destroy china
/usr/sbin/ipset destroy russia
/usr/sbin/ipset destroy palestine
/usr/sbin/ipset destroy nkorea
/usr/sbin/ipset destroy ukraine
/usr/sbin/ipset destroy modavia
/usr/sbin/ipset destroy netherlands

/usr/sbin/ipset -N china hash:net
rm cn.zone
/usr/bin/wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone
for i in $(cat /etc/cn.zone); do /usr/sbin/ipset -A china $i; done
/usr/sbin/ipset -N russia hash:net
rm ru.zone
/usr/bin/wget -P . http://www.ipdeny.com/ipblocks/data/countries/ru.zone
for i in $(cat /etc/ru.zone); do /usr/sbin/ipset -A russia $i; done
/usr/sbin/ipset -N palestine hash:net
rm ps.zone
/usr/bin/wget -P . http://www.ipdeny.com/ipblocks/data/countries/ps.zone
for i in $(cat /etc/ps.zone); do /usr/sbin/ipset -A palestine $i ; done
/usr/sbin/ipset -N nkorea hash:net
rm kp.zone
/usr/bin/wget -P . http://www.ipdeny.com/ipblocks/data/countries/kp.zone
for i in $(cat /etc/kp.zone); do /usr/sbin/ipset -A nkorea $i; done
/usr/sbin/ipset -N ukraine hash:net
rm ua.zone
/usr/bin/wget -P . http://www.ipdeny.com/ipblocks/data/countries/ua.zone
for i in $(cat /etc/ua.zone); do /usr/sbin/ipset -A ukraine $i; done
/usr/sbin/ipset -N moldavia hash:net
rm md.zone
/usr/bin/wget -P . http://www.ipdeny.com/ipblocks/data/countries/md.zone
for i in $(cat /etc/md.zone); do /usr/sbin/ipset -A moldavia $i; done
/usr/sbin/ipset -N netherlands hash:net
rm nl.zone
/usr/bin/wget -P . http://www.ipdeny.com/ipblocks/data/countries/nl.zone
for i in $(cat /etc/nl.zone); do /usr/sbin/ipset -A netherlands $i; done
/usr/local/sbin/iptables-restart

or perhaps more sparsely ( and easier to add/remove countries)

#!/bin/bash
cd /tmp
for i in \
cn ru ps kp ua md nl fi
do
wget --quiet http://www.ipdeny.com/ipblocks/data/aggregated/$i-aggregated.zone -O $i.zone
/usr/sbin/ipset create -exist $i hash:net
for j in $(cat $i.zone); do /usr/sbin/ipset add -exist $i $j; done
done
exit 0



No need to stop or start iptables unless perhaps a country is added.
 
Last edited by a moderator:

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
@ostridge indeed, It is mentioned as a source in

https://firehol.org/

a nice comprehensive overview iof various blacklists and how to implement them, personally I use it

edit:

It's a little ironic that

www.voipbl.org (74.121.160.143)


is in it's own blacklist . go figure ;-) . . .
 
Last edited:

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
or perhaps more sparsely ( and easier to add/remove countries)

#!/bin/bash
cd /tmp
for i in \
cn ru ps kp ua md nl fi \
do
wget --quiet http://www.ipdeny.com/ipblocks/data/aggregated/$i-aggregated.zone -O $i.zone
/usr/sbin/ipset create -exist $i hash:net
for j in $(cat $i.zone); do /usr/sbin/ipset add -exist $i $j; done
done
exit 0



No need to stop or start iptables unless perhaps a country is added.

More for general information than a response to @dicko .

When working with larger sets, adding IPs line by line in ipset is slow. Building a file that can be loaded with ipset restore is MULTIPLE orders of magnitude faster.

I would do something more like::
Code:
#!/bin/bash
PATH=/usr/sbin:/sbin:/usr/bin:/bin
cd /tmp
for i in \
cn ru ps kp ua md nl fi
do
    ipset create -exist $i hash:net
    ipset destroy $i.temp &> /dev/null
    wget --quiet http://www.ipdeny.com/ipblocks/data/aggregated/$i-aggregated.zone -O $i.zone
    { echo "create $i.temp hash:net"
      cat $i.zone | awk -v setname="$i" '/^[^#]/ { print "add " setname ".temp " $1}'
     } | ipset restore
    ipset swap $i.temp $i
    ipset destroy $i.temp &> /dev/null
done
exit 0

23 seconds vs 0.11 seconds for the above lists (on my test system). Not a big deal, but if working with larger sets (or slower hardware) it can be meaningful.
 
Last edited:

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
If you do that (which is nice) you should add a sleep a bit in the outer loop or you are likely breaking the ipdeny.com rules.
 

Members online

No members online now.

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top