go
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
 
 
 
Vladimir Smagin 991b2e8e0f readme pirms 4 nedēļām
ansible add ansible playbook pirms 1 mēnesi
vendor blocking by tables pirms 1 mēnesi
.gitignore add API pirms 1 mēnesi
Dockerfile add API pirms 1 mēnesi
README.md readme pirms 4 nedēļām
build.sh add API pirms 1 mēnesi
go.mod blocking by tables pirms 1 mēnesi
go.sum blocking by tables pirms 1 mēnesi
ip-blocker-set.sh readme pirms 1 mēnesi
ip-blocker.conf add API pirms 1 mēnesi
main.go better logging pirms 1 mēnesi
so-cool-so-much-wow-wow.jpg readme pirms 1 mēnesi

README.md

ip-blocker

My own IP storage for fail2ban. Written to blacklist fucking botnets bruteforcing my servers. It centralize information about blocks across all my servers in one single watch tower.

Installation

Watch tower

Create config file /opt/ip-blocker/ip-blocker.conf with contents:

DB:
  masterDB: "/var/ip-blocker/ip.db"
  clean: LastWeek
API:
  listen: "0.0.0.0:34534"

Option clean means you want to delete records older than week. Possible values:

  • Recreate
    Remove database file and create new. Not acceptable for docker installation, so do not use it.
  • Full
    Drop single table and recreate it.
  • LastDay
    Remove all records older than day.
  • LastWeek
    Remove all records older than week.
  • LastMonth
    Remove all records older than 30 days.

Create empty file for database file and run docker container

$> touch /opt/ip-blocker/ip.db
$> docker run -d --name ip-blocker \
   -p 0.0.0.0:34534:34534 \
   -v /opt/ip-blocker/ip-blocker.conf:/etc/ip-blocker.conf \
   -v /opt/ip-blocker/ip.db:/var/ip-blocker/ip.db \
   registry.blindage.org/ip-blocker-db:latest -config /etc/ip-blocker.conf

Secure

You can protect API with webserver basic auth and SSL, curl can handle it directly from command line (something like https://login:password@my-watchtower.ru/list/sshd/1). To do it bind container to 127.0.0.1 instead of 0.0.0.0 and proxy from nginx or other webserver you love.

All your servers

At first step install fail2ban into your OS. How to do it you already know because you are sysadmin.

Next step add line to /etc/fail2ban/action.d/iptables-multiport.conf

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            /usr/bin/curl -s https://login:password@my-watchtower.ru/set/`hostname`/<name>/<ip>/<protocol>/<port>

Directive set means you want to add IP into database:

  • hostname tells what server added record
  • name is a block table name (i.e. sshd, used to add rules into iptables)
  • ip to block
  • protocol (tcp or udp)
  • port number (or service name from /etc/services, i.e. ssh).

At last step create bash script somewhere on server and add to crontab.

#!/bin/bash
source /etc/profile
IFS=$'\n'

# cron for every minute run

# block ssh
IPs=$(curl -s https://login:password@my-watchtower.ru/list/sshd/1)
for ip in $IPs
do
  echo "Blocking IP $ip"
  fail2ban-client set sshd banip $ip
done

Directive list means you want get IP list, sshd is a block table name and last parameter is a minutes to get records not older than 1 minute.

Wow! You did so much! I hope you did it with Ansible or other program you love, just imagine how to do it by hands for all servers...

Future

  • get list of block tables
  • get raw list of all blocked IPs

Copyright by Vladimir Smagin (21h) 2020
http://blindage.org email: 21h@blindage.org
Project page: https://git.blindage.org/21h/ip-blocker-db