Building Public and Private IPtables Blacklists

Building Public and Private IPtables Blacklists is the simplest way to block few bad IP Addresses. I will show you how easy to build simple individual blacklists using IPtables Firewall chains. The Public IPtables Blacklists will be feed by the internet of different communities around the world to protect services such SSH, HTTP, Mail, FTP, and Applications like WordPress, Joomla, and Drupal Platforms.

Objectives:

1. Understanding Blacklists Concept

2. Building Simple Public IPv4 Blacklists

3. Building Simple Public IPv6 Blacklists

4. Building Simple Private IPv4 Blacklists

5. Building Simple Private IPv6 Blacklists

6. Adding Simple Blacklists to Startup File

Prerequisites:

A. Basic Linux Debian, Ubuntu, or CentOS Knowledge

B. If you haven’t built a VPS yet, login to DigitalOcean or Vultr

C. Linux Hardening Rules and IPtables Firewall Labs

D. Listing and Tracking Suspicious Bad IP Addresses

Recommendations:

For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

Understanding Blacklists Concept

Blacklists will silently DROP all known bad guys such Spammers, Bots, Worms, Zombies PCs, or Servers at the gateway without processing their packets, therefore, saving a lot of hardware resources and preventing the chance to attack your VPS’s services.

Note: Simple IPtables Blacklists are meant to be for few hundreds of IP Addresses, nevertheless, it’s recommend you start with simple IPtables Blacklists first, but when it comes to load a massive blacklists that carry thousands or even millions of IP addresses, then simple IPtables Blacklists won’t be practical.

Instead of using IPtables for huge Blacklists, I will show you later how to use IPset Blacklists instead. IPset can load a massive Blacklists of IP addresses without effecting your VPS memory. In the end of this course, you will be familiar with both types: simple IPtables and IPset Blacklists.

Building Simple Public IPv4 Blacklists

My first Public source Blacklist would be protecting SSH service against known bad IP Addresses based on http://lists.blocklist.de/lists/ssh.txt

Run the following steps (1 to 10)

1. Install Required Packages

Debian Based

apt-get update

aptitude install curl ipset pv grep

Red Hat Based

yum update

yum install curl ipset pv grep

2. Create a Blacklist Directory

mkdir -p /etc/network/iptables/blacklists/

3. Create Simple SSH Blacklist Script

nano /etc/network/iptables/blacklists/blocklist-de-ssh.sh

Open the following file, copy it’s content and paste it inside blocklist-de-ssh.sh file.

Blocklist.de SSH Blacklist Script

4. Set Execution Permission

chmod +x /etc/network/iptables/blacklists/blocklist-de-ssh.sh

5. Allow only Root Access

chmod 700 -R /etc/network/iptables/blacklists/

6. Run the SSH Blacklist Script

/etc/network/iptables/blacklists/blocklist-de-ssh.sh

You should see something similar to the following:

####                                                                 ####
#    Preparing Blocklist.de SSH Blacklist Loader Script for IPtables    #
#        Please be patient. The process might take few minutes          #
####                                                                 ####

-----------------------------------------------------------
 [+] Downloading Blocklist.de SSH Brute Force List...
-----------------------------------------------------------
--2015-04-05 09:27:56--  http://lists.blocklist.de/lists/ssh.txt
Resolving lists.blocklist.de (lists.blocklist.de)... 176.9.54.236
Connecting to lists.blocklist.de (lists.blocklist.de)|176.9.54.236|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18702 (18K) [text/plain]
Saving to: `/etc/network/iptables/blacklists/blocklist-de-ssh.ips'

100%[=======================================================================================>] 18,702      72.7K/s   in 0.3s

2015-04-05 09:27:58 (72.7 KB/s) - `/etc/network/iptables/blacklists/blocklist-de-ssh.ips' saved [18702/18702]

[+] Loading 1305 Bad IP Addresses against SSH Brute Force. Please be patient...

Estimate Time: is based on Hardware Resources. 4000 IP Addresses will take roughly 2 to 7 Minutes to load inside the Memory.

Elapsed Time:

0:00:07

 Done!  ##############################################] (100%)

The Blocklist.de SSH List Chain has been loaded inside the Memory along the rest of the IPtables Chains.

7. List all IPtables Chains

iptables -S | more

IPtables chains will be listed at the top, and among them should be the SSH Blacklist.

8. View the SSH Blacklist IPtables Chain

iptables -L BLOCKLIST-DE-SSH -nvx | less

Hit space key to move from page to page, hit q key to close less function.

So, our Blocklist.de SSH list is working fine. To have this list run on the startup, I will add it later on to custom-scripts.sh startup file.

9. Create Weekly Updates

nano /etc/cron.d/blocklist-ssh-update

Add the following to blocklist-ssh-update

MAILTO=root
30 23 * * 7   root /etc/network/iptables/blacklists/blocklist-de-ssh.sh

Save: Ctrl-X, Hit Y Key, and Enter

How to Change the Execution time?

Based on the following chart, you can modify the stars as needed.

*     *     *     *     * 
-     -     -     -     -
|     |     |     |     |
|     |     |     |     +----- Day of week (0-7)
|     |     |     +------- Month (1 - 12)
|     |     +--------- Day of month (1 - 31)
|     +----------- Hour (0 - 23)
+------------- Min (0 - 59)

10. Set Execution Permission

chmod +x /etc/cron.d/blocklist-ssh-update

That’s it! To load more Blacklists, check the following files below. Follow the steps above except step 1 to implement different Blacklist, however, don’t forget to change the name. E.g. change blocklist-de-ssh.sh to blocklist-de-ftp.sh in every step to set Blacklist for FTP Service.

Note: there is almost a blacklist for every service, but loading multiple individual blacklists that might carry thousands of IP Addresses into IPtables Memory will eventually slow down IPtables and your VPS.

Simple Public blacklists practical only if each list carries few hundreds of IP addresses and not thousands. If you decide to use individual blacklists that carry thousands of addresses and networks, 2G VPS won’t be able to load more than 10 thousands IP Addresses. The more you load individual blacklists, the more Memory your VPS needs.

More Public Blacklists Scripts

Blocklist.de FTP Blacklist Script

Blocklist.de Bots Blacklist Script

Blocklist.de Mail Blacklist Script

Blocklist.de IMAP Blacklist Script

Blocklist.de Apps Blacklist Script

Blocklist.de Apache Blacklist Script

MYIP.MS General Blacklist Script

OpenBL General Blacklist Script

When it comes to thousands of IP addresses, Building Public and Private IPset Blacklists will load all those individual blacklists and combine them into Global Dynamic database file. Hence IPtables will deal with ipset database module which is a way lighter and faster to load. My advice is to gain experience in both types Simple Public blacklists and IPset Blacklist to understand the overall concept and be able to differentiate between them.

Building Simple Public IPv6 Blacklists

As of this writing, I couldn’t find Public source for IPv6 similar to IPv4 blocklist.de. IPv6 not famous as IPv4, however, I found http://myip.ms/files/blacklist/csf/latest_blacklist.txt by MYIP.MS which got few of IPv6 on the end of the list.

Unfortunately, you cannot mix IPv4 and IPv6 inside one script since Netfilter Linux Firewall separated management interface by using iptables and ip6tables. But, you can still build a simple IPv6 Blacklist by extracting the IPv6 Addresses from MYIP.MS. I wish they can separate them into different files.

Run the following steps (1 to 8)

1. Create a Blacklist Directory

mkdir -p /etc/network/iptables/blacklists/

2. Create IPv6 MYIP.MS Blacklist Script

nano /etc/network/iptables/blacklists/ipv6-myip-blacklist.sh

Open the following file, copy it’s content inside ipv6-myip-blacklist.sh file.

IPv6 MYIP.MS Blacklist Script

3. Set Execution Permission

chmod +x /etc/network/iptables/blacklists/ipv6-myip-blacklist.sh

4. Allow only Root Access

chmod 700 -R /etc/network/iptables/blacklists/

5. Run the IPv6 MYIP.MS Blacklist Script

/etc/network/iptables/blacklists/ipv6-myip-blacklist.sh

You should see something similar to the following:

####                                                             ####
#    Preparing IPv6 MYIP.MS Blacklist Loader Script for IPtables    #
#       Please be patient. The process might take few minutes       #
####                                                             ####

-----------------------------------------------------
 [+] loading IPv6 MYIP.MS Bad IPs Blacklist...
-----------------------------------------------------
--2015-04-07 15:25:07--  http://myip.ms/files/blacklist/csf/latest_blacklist.txt
Resolving myip.ms (myip.ms)... 46.105.73.158, 2001:41d0:a:41a9:46f::1
Connecting to myip.ms (myip.ms)|46.105.73.158|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39513 (39K) [text/plain]
Saving to: `/etc/network/iptables/blacklists/ipv6-myip-blacklist.tmp'

100%[===================================================================================================================================================================================================>] 39,513      --.-K/s   in 0.1s

2015-04-07 15:25:08 (317 KB/s) - `/etc/network/iptables/blacklists/ipv6-myip-blacklist.tmp' saved [39513/39513]

 [+] Loading 10 bad IP Addresses against general attacks. Please be patient...

 Estimate Time: is based on Hardware Resources. 4000 IP Addresses will take roughly 2 to 7 Minutes to load inside the Memory.

 Elapsed Time:

0:00:00

 Done!  ##############################################] (100%)

The IPv6 MYIP.MS Blacklist has been loaded inside the Memory along the rest of the IPtables Rules.

Note: since grep command greps colon “:” to filter IPv6 addresses, hence, if you edit the database file, you will find the following extra 7 lines on the beginning since they got colons as well.

# on Fri, 10 Apr 2015 12:00:31 +0100 Last 10days Blacklist IPs
# URL: http://www.myip.ms/browse/blacklist
# File Format: ..IPAddress.. (compatible with cPanel, CSF Firewall)
# Notes for CSF Firewall:
# DENY_IP_LIMIT - Maximum number of IP addresses that can be saved in /etc/csf/csf.deny file (default: 100)
# (file: /etc/csf/csf.conf) -> and change the value to: DENY_IP_LIMIT = 0 (unlimited), after restart Firewall
#  Myip.ms Blacklist IPs in this List: 2,870 ip (31 March 2015 - 10 April 2015)

You can safely ignore those lines.

6. View IPv6 MYIP.MS Blacklist Chain

ip6tables -L IPV6-MYIP-BLACKLIST -nvx

7. Create ipv6-myip-blacklist.sh Weekly Update

nano /etc/cron.d/ipv6-myip-blacklist-update

Add the following to ipv6-myip-blacklist-update

MAILTO=root
30 23 * * 7  root /etc/network/iptables/blacklists/ipv6-myip-blacklist.sh

Save: Ctrl-X, Hit Y Key, and Enter

8. Set Execution Permission

chmod +x /etc/cron.d/ipv6-myip-blacklist-update

Building Simple Private IPv4 Blacklists

Reading my previous article Listing and Tracking Suspicious Bad IP Addresses, you would know how important to have a handy custom blacklist. Let’s set a Local Custom Admin Blacklist, but this time based on our input and not a Public source.

Run the following steps (1 to 9)

1. Create a Blacklist Directory

mkdir -p /etc/network/iptables/blacklists/

2. Create Custom Admin Blacklist Script

nano /etc/network/iptables/blacklists/custom-admin-blacklist.sh

Open the following file, copy it’s content and paste inside custom-admin-blacklist.sh file

Custom Admin Blacklist Script

Save: Ctrl-X, Hit Y Key, and Enter

3. Set Execute Permission

chmod +x /etc/network/iptables/blacklists/custom-admin-blacklist.sh

4. Create a Database IP Addresses File

touch /etc/network/iptables/blacklists/custom-admin-block.ips

5. Allow only Root Access

chmod 700 -R /etc/network/iptables/blacklists/

6. Test – add bad v4 address to the Database

Based on IP Void list http://www.ipvoid.com/scan/43.255.190.135/ add this bad IP 43.255.190.135 to custom-admin-block.ips file.

echo 43.255.190.135 >> /etc/network/iptables/blacklists/custom-admin-block.ips

Save: Ctrl-X, Hit Y Key, and Enter

7. Run Custom Admin Blacklist Script

/etc/network/iptables/blacklists/custom-admin-blacklist.sh

8. List all IPtables Chains

iptables -S | more

9. View the Custom Admin Blacklist IPtables Chain

iptables -L CUSTOM-ADMIN-BLACKLIST -nvx

You will see the Blocked IP Address

pkts      bytes target     prot opt in     out     source          destination
0        0 DROP       all  --  *      *       43.255.190.135        0.0.0.0/0

Building Simple Private IPv6 Blacklists

Run the following steps (1 to 8)

1. Create a Blacklist Directory

mkdir -p /etc/network/iptables/blacklists/

2. Create Custom Admin Blacklist Script

nano /etc/network/iptables/blacklists/v6custom-admin-blacklist.sh

Open the following file, copy it’s content and paste it inside v6custom-admin-blacklist.sh file

IPv6 Custom Admin Blacklist Script

Save: Ctrl-X, Hit Y Key, and Enter

3. Set Execute Permission

chmod +x /etc/network/iptables/blacklists/v6custom-admin-blacklist.sh

4. Create a Database IP Addresses File

touch /etc/network/iptables/blacklists/v6custom-admin-block.ips

5. Allow only Root Access

chmod 700 -R /etc/network/iptables/blacklists/

6. Test – add bad v6 address to the Database

Based on http://myip.ms/files/blacklist/csf/latest_blacklist.txt. Add this bad IP address 2606:a000:6260:d600:d17a:6ebb:f1f0:c8cf at the end of the file v6custom-admin-block.ips.

echo 2606:a000:6260:d600:d17a:6ebb:f1f0:c8cf >> /etc/network/iptables/blacklists/v6custom-admin-block.ips

Save: Ctrl-X, Hit Y Key, and Enter

7. Run v6Custom Admin Blacklist Script

/etc/network/iptables/blacklists/v6custom-admin-blacklist.sh

8. View IPv6 Custom Admin Blacklist IPtables Chain Again

ip6tables -L V6CUSTOM-ADMIN-BLACKLIST -nvx

Adding Simple Blacklists to Startup File

Run the following steps (1 to 2)

1. Edit Custom Scripts Startup file

nano /etc/init.d/custom-scripts.sh

2. Add the following to the end of the file.

# Blocklist.de SSH List
/etc/network/iptables/blacklists/blocklist-de-ssh.sh
# IPv6 MYIP.MS Blacklist 
/etc/network/iptables/blacklists/ipv6-myip-blacklist.sh
# Custom Admin Blacklist
/etc/network/iptables/blacklists/custom-admin-blacklist.sh
# IPv6 Custom Admin Blacklist
/etc/network/iptables/blacklists/v6custom-admin-blacklist.sh

Save: Ctrl-X, Hit Y Key, and Enter

Subject Related