IMPORTANT: This tutorial is oriented for Fedora, but shouldn’t be hard to adapt to Debian/Ubuntu. If someone knows the startup scripts well, mail me or please leave a comment with the changes needed.
Ok, as we saw in the previous chapters of this tutorial series, iptables is an amazingly flexible and powerful tool. By now you should have a good grasp of what iptables can do. It is time to bring in the sidekick: Portsentry. Due to the fact that portsentry has no pre-built packages (to my knowledge) for any distributions, you will have to download it from here:[Sourceforge] ; and build it. The process is very easy BUT (yes there is always a but) it requires you to edit one file. More on that a bit down the road. First, what does Portsentry do? Well, you see Portsentry is a nifty little program that listens on your Linux (or any Unix, but for now Linux) box on a set of defined (by you) ports. That way, when someone port scans you to find open ports, say for example ssh or web or any other open port that they could attack, Portsentry will notice this and take an appropriate action (also defined by you!).

You can do very cool things like immediately block the IP, so even if they find port 22 (SSH) open, by the time they try to connect to it, they are explicitly blocked from accessing port 22 or ANY port, if you so choose. The only problem with this scenario is, that, for example, if you host a big website (like http://blog.2blocksaway.com :)), and you run Portsentry, you will get scanned a lot. The internet is a bad place and port scanning seems to be a hobby for any script kiddie nowadays. This in itself wouldn’t be a problem, but static IPs are rare and most port scanners are run from dynamic IPs which get re-assigned after a certain time period to other people (computers). I think you see where the problem comes in. Unless you constantly maintain your iptables blocked list, you will have soon a lot of IPs banned and even legit users won’t get access to your site anymore.
So, you need to periodically “clean” your iptables. In order to do that we will create a loop into your iptables script, make it redundant, in case you have to reboot, AND make “old IPs” get cleaned automatically every 5 days. Sounds good? Great, only a few steps and you have this setup running.

Step 1: GET AND INSTALL Portsentry (version 1.2 at the time of this writing) from the link above and extract it. You will have a directory called portsentry_beta. Enter it and open the file portsentry.c, specifically line 1584 with your favorite editor. If you want to use vi try this: vi +1584 portsentry.c .You will see in that line, that it is word wrapped wrongly. The line looks like this:
printf ("Copyright 1997-2003 Craig H. Rowland sourceforget dot net>\n”);
fix it to make it one line:
printf ("Copyright 1997-2003 Craig H. Rowland \n”);
save the file and exit. Well done, this was the hard part. Now come the easy ones. Type at your command line:
make linux && make install
and hit enter. Notice you need gcc installed but most distros come with it by default.
Once done the program will inform you that it is now installed in: /usr/local/psionic/portsentry/ Let’s memorize that and keep going.

Step 2: EDIT your current iptables script. We know by now that the iptables script is actually nothing more then a simple shell script which is run. This means we can use any shell script action within the iptables script. <- A GOOD THING! First create a directory, if you have not done so, where your scripts will all be in. In my case I created /opt/flosse . This is where most of your magic will happen. Copy your current iptables shell script there or work in the directory where it is at now, /root is NOT an option!.
When you have the directory and the script ready, create an empty file called blocked.list (touch blocked.list) in that directory. In this file Portsentry will add all the blocked IPs and other information. Now we come to the edit part of your iptables script. You need to create a new table and put it at the top of your INPUT/OUTPUT/FORWARD chains (if you don’t use FORWARDING, then don’t add it there :)). You need to create a chain that drops packets from a certain source immediately, but this source will be added dynamically AND , in case of a re-run of the script, you do not want to loose all the collected bad hosts. So, we just add an actual script part into our iptables script. It should look something like this:

iptables -N blocked-list
for i in `cat blocked.list`
do iptables -A -i eth0 -p tcp,udp -s $1 -d 0.0.0.0/0 -j DROP
done
iptables -A INPUT -j blocked-list
iptables -A OUTPUT -j blocked-list

What this does is, it creates a new chain called blocked-list, and then for each line in the file blocked.list, it adds the first value as an IP to the blocked-list table with the action to drop the traffic for TCP and UDP traffic in the network card eth0. You might have to change the network interface for your setup, and of course you can modify the iptables line as you want it ( for example log and then drop).

Great, so now we have an iptables script that will take all the IPs out of our blocked list and add them as we need to.EXCELLENT! We are about 50% done, but please bear with me, it will be worth it.

Popularity: 10% [?]

Pages: 1 2