[emailprotected]:~$ ping verified.sc
The method is trivially simple and convenient, but it increases the life of domains by several orders of magnitude. In other words, we will protect our server the “Russian way” – cheap and serdito! In the article I will describe the configuration on Debian 6 Squeeze, but no problems should arise on other operating systems.
I will not really focus on the DNS server configuration, advise on what DNS server is and other stuff. We will be configuring firewall iptables (and also system of addons to it xtables-add-on) together with ipset for productive work of the system, and the direction of the application you can choose by yourself ?
Task: Suppose we have a server in NL, work on USE, pay tribute to local rastamans for abuses and honestly already for**** change hoster(need to substitute your own). The task is this: to solve the problem of abuses as efficiently as possible.
Initial server config (laptop in my case):
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 133K packets, 10M bytes) pkts bytes target prot opt in out source destination [emailprotected]:~$ sudo ipset -L [emailprotected]:~$ sudo ipset -v ipset v4.2, protocol version 4. Kernel module protocol version 4. [emailprotected]:~$
For ourselves, note, OS kernel version(2.6.32-5-amd64), iptables version(v1.4.8), ipset version(v4.2), iptables\ipset rules are empty. Here we go (:
Put the right packages:
[emailprotected]:~$ sudo apt-get install module-assistant xtables-addons-source libtext-csv-xs-perl libxml-csv-perl libtext-csv-perl unzip
prepare OS for automatic installation of xtables-add-on from sources
[emailprotected]:~$ sudo module-assistant prepare
Check that the kernel sources, its version, and any additional packages needed for the build are installed. And if there are no problems, install:
[emailprotected]:~$ sudo module-assistant auto-install xtables-addons-source
Activate installed modules:
[emailprotected]:~$ sudo depmod -a
Next I? ??v?s?t?r?e?t?i?l? ?V?i?t?a?l? go to the official xtables-add-on website, choose the version that suits us, download it. For the lazy, here.
[emailprotected]:~$ wget -o xtables-addons-1.28.tar.xz wget https://sourceforge.net/projects/xtables-addons/files/Xtables-addons/1.28/xtables-addons-1.28.tar.xz
Unpack archive, download GeoIP-base from MaxMinda, compile, create directories, install.
[emailprotected]:~$ cd xtables-addons-1.28/geoip/ [emailprotected]:~$ sudo ./geoip_download.sh [emailprotected]:~$ sudo mkdir -p /usr/share/xt_geoip/LE [emailprotected]:~$ sudo ./geoip_build_db.pl -D /usr/share/xt_geoip/LE GeoIPCountryWhois.csv
Moving on to the sweetest part of the setup. We will have only three databases that we will block, let’s consider the structures in more detail
The iphash type is used to create arbitrary sets of IP addresses and uses a hash table to store IP addresses.
From words to business. Create two sets, an iphash type set named “badip” and a nethash type set named “rangeip”
[emailprotected]:~$ sudo ipset create badip iphash [emailprotected]:~$ sudo ipset create rangeip nethash
In the hash table “badip” add, database Ar3sa. Download the database:
[emailprotected]:~$ sudo cd /tmp wget https://www.dlab.org.in/big_ip.txt
Create a simple script which adds IP addresses to the table:
[emailprotected]:~$ nano insert.sh
Give runtime rights and run:
[emailprotected]:~$ sudo chmod x /tmp/insert.sh sudo /tmp/insert.sh
The process may take a long time, wait.
[emailprotected]:/tmp$ sudo ipset -L | wc -l 65453
Ignore the IPv6 address drop-down errors, it’s a must! ??
I’ll request a ban from the administration for the base’s tampering. Last database update: September 2, 2012. Download the main database. At the size do not be surprised, all IP addresses are in ranges CIDR(0-31). Unpack it. Fix auto-add script:
[emailprotected]:~$ nano insert.sh
[emailprotected]:~$ sudo /tmp/insert.sh
Where did I start the article there? Ah, yes! Bars, dns, bases According to Wikipedia, a DNS server listens on TCP/UDP port 53, to respond to NS requests.
Now with an easy move of one hand we can create our own DNS-filter bypassing all the bazaars absolutely free!
[emailprotected]:~$ sudo iptables -A OUTPUT -m geoip src-cc RU,UA,BY,KZ,CN,NL -j DROP
Block icmp packets, they make no sense on a botnet server.
[emailprotected]:~$ sudo iptables -A INPUT -p icmp icmp-type echo-reply -j DROP [emailprotected]:~$ sudo iptables -A INPUT -p icmp icmp-type echo-request -j DROP
Block access on the main base:
[emailprotected]:~$ sudo iptables -A INPUT -m set set rangeip src -j DROP
Block access by the base provided by Ar3s:
[emailprotected]:~$ sudo iptables -A INPUT -m set set badip src -j DROP
Save iptables ipset settings:
[emailprotected]:~$ sudo ipset save /srv/ipset.rules [emailprotected]:~$ sudo iptables-save /srv/iptables.rules
Approximate firewall settings screenshot
The perks. “I want the admin! I want! I want! I want!” Unfortunately, there is no good control panel (WEB-morda) for iptables firewall. There is iptadmin, screenshots can be seen here. Not supported by developers since September 2011. Install at your own risk.
“Does it work?” The question really, not trivial. Although we can not know whether come to us on the server, for finding admins from spy-tracker. (Just wonder if it was a googlebot or a crude attempt bruteforce, approx.) Overall system efficiency we still can calculate? To calculate we just need to enable logging for the “INPUT” chain in iptables, before blocking access.
WARNING: This method should only be considered in the short term (for testing), since the production server will eventually fill up the entire hard drive with firewall logs.
Delete previously created rules and chains:
[emailprotected]:~$ sudo iptables -F [emailprotected]:~$ sudo iptables -X
Again, be careful! There may be routing rules, access from the network behind NAT and other important firewall rules.
Enable logging before locking:
[emailprotected]:~$ iptables -A malware-protection -j LOG log-prefix Malware-protection: log-level 7
Continue after the action (where the DROP command is).
After N-th time, check what the firewall blocked. (by default, iptables will log to /var/log/messages) Command:
[emailprotected]:~$ sudo cat /var/log/messages* | grep Malware-protection | wc -l
The best option is to test the system in combat.
“I want cooler!”
To protect the server even more strongly, you can do the following:
Q: Installing xtables-add-on on older versions of CentOS/RedHat A: To install it, you will need an outdated patch for the kernel patch-o-matic(-ng). If you search the depths of Runet, you can find craftsmen who sell pre-compiled module. As an alternative, this might work.
Q: Installing ipset in Debian 6 Squeeze A: cut
Q: After installing A: In theory it is possible (if you are a traffer with 3KK daily volume). In my practice I had one case when the problem was solved by timeouts setting and TCP/IP stack tuning. In this case packets were hung in TIME_WAIT mode. I recommend hiring a good system administrator, first of all, to analyze your system hardware configuration. Don’t skimp on hardware, buy a few gigabytes of RAM and processor cores to spare. What if tomorrow your partner will offer you 100K US dollars for $20? ??
free credit card dumps website