Iptables: how to block bunch of countries to attack your server

This weekend a friend of mine, owner of  a web site dev-hosting company told me about cPanel regular emails alerts regarding recurrent SSH failed login attempts on one of his customers servers from few IPs located in 3 countries.

He asked me about a way to block certain countries via iptables.  I wrote something that did the trick : a script shell using ipset and ipdeny zones list to retrieve subnets and use them in iptables to block connexions from/to that IPs. We putted that script in CRON to regularly update that blacklisted IPs

Even this is not a fully sufficient way to block that kind of attack (geo-blocking IPs matching are not 100% complete) and the attacker can go through proxy, vpn or bot machines to target the server from others countries: it remains a useful first defense to have.

It needs to be coupled with fail2ban auto-blacklisting strategies, ACLs to some admin services (SSH…)

here is the script ip-blocklist.sh

#! /bin/bash
#author Zoumana TRAORE zoumana.traore@africasys.com
#This program is under GPL v3 License 
#ipblock list script that block ingress and outgoing from countries like china, russia...
# -------> dependencies: 
# 1) ipset iptables v1.4.21: Can't open socket to ipset.
# 2) http://www.ipdeny.com/ipblocks/

date
echo
#changing separator space to another one
SAVEIFS=$IFS
IFS=$(echo -en "\n\b")

############ install prereqs ##################
#apt-get install ipset && apt-get upgrade iptables

############ blacklisted countries ##################
countries=("cn" "ru" "se" "tw" "id" "ir" "nl" "ua" "ee" "br" "bg" "cz" "hk" "in");
fileFolder=/tmp

# download IPs list from ipblock list for the given zone and add iptables rule to block all traffic to/from that
# 
#@param1 country code
function blockCountry () {

	local country=$1;
	cd $fileFolder

	echo "---> checking country list $country"

	# Create the ipset list
	ipset -N $country hash:net

	# remove any old list that might exist from previous runs of this script
	rm $country.zone

	# Pull the latest IP set for Country
	wget -P . http://www.ipdeny.com/ipblocks/data/countries/$country.zone

	# Add each IP address from the downloaded list into the ipset 'country'
	for i in $(cat $country.zone ); do ipset -A $country $i; done

	echo "blocking $country IPs now"
	iptables -v -I INPUT 1 -m set --match-set $country src -j DROP
	iptables -v -I OUTPUT 1 -m set --match-set $country dst -j DROP
}

#run
i=0
for country in "${countries[@]}"
do
	blockCountry $country 
	echo
done

IFS=$SAVEIFS

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s