New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Adding timeout to iptables rules where they rule is dropped automatically?
doughmanes
Member
in Help
Is anybody using such a thing in production?
I'm seeing fail2ban as an option to do this and I'm not really eager to add some complexity. I'd probably consider fail2ban if this was a webserver where I can ban bots bruteforcing wp-login.php since its able to do that.
Does anybody have a bash script or recommend something within iptables to set a block and drop it after specified time? I've searched online and find a bunch of 10+ year outdated stuff or recommendations to fail2ban.
Basically I'm trying to block IP addresses / IP blocks I catch spamming to keep the spam off the 5 mailservers I run.
Comments
how exactly do you collect the IPs. are they written in some plain file or something like this or do you need to grep logfiles for yourself?
if you want to work with plain iptables this: http://serverfault.com/questions/273324/how-to-make-iptables-rules-expire pretty much sums up the possibilities.
I'd probably try the second best answer with having a cronjob sweeping old rules via the second line of his example...
Yes, you can use netfilter ipset in iptables rules, check ipset package. You can create a table with a default timeout in seconds and also set a custom timeout per IP. And you can use this in drop or accept rules without any issues too.
Reference:
http://ipset.netfilter.org/ipset.man.html
Usually catch them in my spamtrap or forwarded email from an incident like an IP sending out Locky/cryptoware
Just add them to a table, then expire the table.. It's not all that difficult, overall. --seconds -j DROP
I just use a crontab for my pf tables.
Using fail2ban doesn't add that much complexity; maybe a little more overhead than is absolutely needed to do what it does. I'd certainly suggest at least giving it a try first.
sshguard is not dependant upon 40 megs of Python to run.
All netfilter ipset requires is:
1) Installing the module (which is a simple yum command)
2) Creating the ipset table with the parameters you want, eg: source ip + timeout
3) Creating the firewall rule as instructed in the manual (link above) with src or dst matching using your ipset table.
Now, all you have to do is use the add/del commands of ipset towards your table to add/remove entries or let the automatic timeout purge them out.
It isn't hard too, at least, I guess it isn't.
Look at at command.
deleted.
Jesus fuck, @bsdguy - just store the time you block at time_t+timeout. Then setup a script to run every few minutes where now(time_t) => {iterate through bullshit}. It's not the most brilliant, and it doesn't need NodeJS, but it'll work just fine.
Or, you could be a smugger asshole, and set an at for removing the block when you insert it with minimal queue overhead and a process which normally runs anyhow..
Wait.. can I rescind my post? I don't want to be mistaken as somewhat helpful.
@WSS
You just say it in different words ...
Ain't nobody got time for your war-and-peace posting. :P
@WSS
Kindly stop the pissing and coolness contest. Sure, you worded it much shorter and cooler but at least the smarter ones among us want to extend their professional knowledge and to understand better what's going on beneath the surface. That, however, can hardly be nurtured by cool 3 liners.
In other words: My goal wasn't to look cool but to share knowledge and to help others to advance. It wasn't being a cool ass.
And we aren't talking about chicken shit here. We are talking about issues that could have ones server survive an attack or break down.
Finally, cool asses are a dime a dozen here. You might want to think again whether it's really smart to piss off guys having knowledge and willing to share it.
@bsdguy I think you need
one less coffeemood stabilizers in your diet.@WSS
OK, "problem" solved, post deleted. I will certainly not fight against super-cool %§$$ just to be allowed to share my knowledge for free and to at least not be bothered by their personal needs.
As for your last post: I don't care a rats ass what you "think".
Yay, more fighting. There just wasn't enough of that in the world . . .
Everybody gotta be at odds with someone, I guess. He's still a hoopy frood, even if he is a word salad sometimes.