Ever notice how many braindead people try to break into your email server? It's a daily battle to stay ahead of them. Especially when, like in my case, fail2ban just... well... fails... :-)
For some time I have just manually added IP addresses to my iptables array. The list gets kind of long after a while though. See the following for what I did. And then imagine a lot of these lines.
iptables -A INPUT -s <ip>/<cidr> -p tcp -m tcp --dport 25 -j DROP
For a while now the attacks have been shown in my log as:
warning: hostname Tor-Private.ru does not resolve to address 188.8.131.52: No address associated with hostname
It seems that the dumb idiots are now using the tor network to hide in. The tor network is kind of a big black hole, and it's not straight forward to block them from there. Or is it?
During my investigation I came across the tor abuse faq, which lists a way to find the tor gateways that are able to direct traffic to a given website.
So I went ahead and found the IP addresses I needed to block. But now I had a long list of IP addresses that I didn't really want to convert into iptables rule lines. Not manually anyway.
Why did I not just use a user friendly frontend for iptables you might ask. Sometimes I do things the hard way just to find out if there is a more manual/down to earth solution I can use. It's as much for educational purposes as it is a wish for feeling more in control of my system. I will let you decide whether this approach is smart or stupid. ;-)
Searching and reading a bit on the Internet I came across the ipset command. It makes a list that iptables can reference. In this way the iptables ruleset is kept smaller and easier to read.
What I ended up with was a folder in /etc/iptables called ipset.rules
Inside this folder there are text files with the ending ".lst" containing the IP addresses I want to block in cidr notation. I then made a small script to change the lst files into ipset tables that iptables then references. Sounds confusing? It's not so bad...
In addition to creating the ipset tables (or sets, as they are called), it also creates the iptables rule and stores both ipset and iptables data in their respective config files.
I think the best I can do is display the iptables rules I have and then the script.
Please note the IP addresses in the above list have been changed to random numbers.
The text files containing the IP addresses are just files containg one IP address per line. When listing a single host e.g. IP address/32, the cidr notation should be left out. See example(s) below:
And here is the script:
The script should be mostly self explanatory. At least I hope it is.
Please feel free to leave a comment. At least until I have to close them due to abuse. :-D