Writing, publishing, geekdom, and errata.

Updating your firewall on Linux - and blocking malware IP addresses at the same time

No comments
Firewalls on linux/*nix are somewhat complicated, but stupidly powerful. "UFW" - the "uncomplicated" firewall - is... well, it's uncomplicated in comparison to actually dealing with iptables.

But there are ways to make it easier.

First, in /etc/ufw/applications.d/  you'll find that there should be some (or COULD be some) nice presets for applications.  The files should have in them something like this:

(it's at http://pastebin.com/6JNp2axv if the embed doesn't show for you)

From there, you can call a script to invoke (and disable) the UFW/iptables rules as you like.  Here's a simple example:

(This script is at http://pastebin.com/TEik19Rn if the embed's broken for you.)

Now, this is a simple example. I have a slightly more comprehensive example (though it's essentially the above script expanded) up on GitHub at https://github.com/uriel1998/ufw-iptables-archer.

The biggest change - and the cooler bit - is the other script in that repository:  I include blocklists.

These blocklists were originally developed by (and presumably still are being used by) people using it to torrent illegally... though they're not really effective at that task.

What is useful is that the collections of blocklists (like those at I-Blocklist) have categories like "Pedophiles" (IP ranges of people who we have found to be sharing child pornography in the p2p community.) and "webexploits" (IP addresses related to current web server hack and exploit attempts).

Regardless of what you're doing, you probably don't want those folks poking at your computer or server.

So I also wrote a script (from a base by Kirk Kosinski) that fetches the appropriate lists, combines them into one big blocklist, sorts and removes duplicates, and then adds them to an IP set using ipset (probably available in your distribution's repositories).

From there, you can either uncomment the last two lines of the update_ipblock script, or run the ufw_setup script to add those ranges to your firewall.

The entire repository is at https://github.com/uriel1998/ufw-iptables-archer ; I hope you find it useful!

No comments :