Building Professional Web Hosting Solution
Blacklist and Whitelist using IPtables and IPset
- Listing and Tracking Suspicious Bad IP Addresses
- Building Public and Private IPtables Blacklists
- Building Public and Private IPtables Whitelists
- Building Public and Private IPset Blacklists
- Building Public and Private IPset Whitelists
Listing and Tracking Suspicious Bad IP Addresses can be very crucial if you suspect unreasonable consumed resources. Having said this, there are 2 known methods to list and track connected IP addresses to your VPS, in case you are suspecting hardware resources getting consumed for no reason. Besides, legitimate user’s IP address consumes reasonable portion of CPU and Memory, but bots most of the time act stupid, hence their activities can be so obvious.
Objectives:
1. Listing Active IP Addresses using tcptrack
2. Listing Active IP Addresses using netstat
Prerequisites:
A. Basic Linux Debian, Ubuntu, or CentOS Knowledge
B. If you haven’t built a VPS yet, login to DigitalOcean or Vultr
C. Linux Hardening Rules and IPtables Firewall Labs
Recommendations:
For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.
Table of Contents
Listing Active IP Addresses using tcptrack
In order to understand the next Articles/Labs such IPtables and IPset Black/White Lists, I recommend you get familiar with IP Address listing and tracking techniques. My favorite tools to list and track connected IP Addresses to my VPS are tcptrack and netstat. Such tools are crucial for Tracking or Listing Unique or Active connected IP Addresses in order to analyze their activities.
tcptrack: is a sniffer which will show you information about TCP connections on a specific interface. It tracks only TCP Active connections and show the Live information.
Run the following steps (1 to 4)
1. Show and Install tcptrack
Debian Based
aptitude update
aptitude show tcptrack
then install…
aptitude install tcptrack
Red Hat Based
yum update
yum install tcptrack
2. Run tcptrack on eth0
tcptrack -i eth0
Note: Since you probably have no services yet installed except ssh, you won’t see that much traffic, however, you can always come back when you have Web Hosting Solution services up and running.
3. Run tcptrack -r switch
-r will make tcptrack wait for a given time (in seconds) before it deletes the closed connection from the screen.
tcptrack -dfi eth0 -r 10
4. Run tcptrack with port filtering
tcptrack -dfi eth0 port 22
TIP: To see ssh activities, open a new SSH window while running the above command in different window.
Available tcptrack Switches
-d Only track connections that were started after tcptrack was started. Do not try to detect existing connections.
-f Enable fast average recalculation. TCPTrack will calculate the average speeds of connections by using a running average.
-h Display command line help.
-i [interface] Sniff packets from the specified network interface.
-T [pcap file] Read packets from the specified file instead of sniffing from the network. Useful for testing.
-p Do not put the interface being sniffed into promiscuous mode.
-r [seconds] Wait this many seconds before removing a closed connection from the display. Defaults to 2 seconds. See also the pause interactive command (below).
-v Display tcptrack version
Interactive Commands
The following keys may be pressed while tcptrack is running to change runtime options:
p – Pause/unpause display. No new connections will be added to the display, and all currently displayed connections will remain in the display.
q – Quit tcptrack.
s – Cycle through the sorting options: unsorted, sorted by rate, sorted by total bytes.
Note: The interactive key P option for pausing and toggling sorting is useful if you’re watching a very busy network and want to look at the display without connections jumping around (due to sorting and new connections being added) and disappearing (due to being closed for a certain time).
When paused (via the p key) no new connections will be displayed, however, tcptrack will still monitor and track all connections it sees as usual. This option affects the display only, not internals. When you unpause, the display will be updated with all current information that tcptrack has been gathering all along.
Listing Active IP Addresses using netstat
Although tcptrack tracks active IP Addresses, however, it can’t sort specific requirements as netstat does. For more information, check Wikipedia http://en.wikipedia.org/wiki/Netstat
Note: The following commands of netstat are mostly used to check if the VPS is under an attack such Denial of Service (DoS Attack). I have listed few of them to show you how netstat can be used and at the same time to gain some knowledge of how to spot bad IP addresses in case you want to block some IP Addresses manually.
I assume that you followed my articles/Labs by order, especially Linux Hardening Rules and IPtables Firewall Labs, hence, you should be protected against certain DoS Attacks.
Run the following steps (1 to 6)
Copy and paste one by one to gain knowledge of how your VPS interact with user’s IP Address that is trying to view your website. Bots/users maybe trying to spam/attack your site. And No changes will take place on your VPS due to running the following netstat commands.
1. Show All Active Connections
netstat -unt | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1
The output here narrowed to only Active IP Addresses. Notice the duplicates, well that’s actually normal. Duplicate is simply the number of sessions open by that IP.
servers) Address 24.215.128.64 24.215.128.64 198.41.215.163 24.215.128.64 2001 190.59.42.168 190.59.42.168 190.59.42.168
For port 80
netstat -unt | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1
190.59.42.168 190.59.42.168
2. Show all Active/Unique Connections with their Sessions
netstat -unt | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1
The output shows One IP and 6 sessions excluding Loop Address
3 24.215.128.64 2 190.59.42.168 1 servers) 1 Address 1 2001
For port 80
netstat -unt | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1
As you can see, one of the output says, ” 24.215.128.64 opened 6 sessions using port 80″.
6 24.215.128.64 3 24.215.128.64 2 190.59.42.168
3. Count Only Active/Unique IP Addresses
netstat -ntu | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
For port 80
netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | grep -v 127.0.0.1 | wc -l
5. Count Only Active Sessions Opened
netstat -ntu | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1 | wc -l
The output at this time shows only the number of sessions that is being utilized by Active/Unique IP Addresses. My IP opened six sessions.
6
For port 80
netstat -ntu | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | grep -v 127.0.0.1 | wc -l
2
Notice that I have used 7 commands on one command. netstat, grep, awk, cut, uniq, sort, and wc command.
6. Finally, List Active IP Addresses and their Open Sessions to Spot Bad IP Addresses
netstat -unt | awk '{print $5}' | sed -n -e '/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/p' | sed 's/::ffff://' | cut -d: -f1 | sort | uniq -c | sort -n
If you see a repeater IP Address with too many sessions, then it has to be specious Address. I just spot 190.59.42.168, it’s a bad home user repeater IP and got negative statistics as per Symantec Check http://ipremoval.sms.symantec.com/lookup/ it got only 2 sessions open, it’s not a lot, but it turned to be an infected machine.
2 190.59.42.168 3 24.215.128.64
Once you implement Building Public and Private IPset Blacklists, a lot of these IPs such the above bad IP address will be most probably blocked depends on it’s severity. However, I can still add this IP myself manually to my custom Admin blacklist in case it’s not known to the global blacklist yet. I will talk about Custom Admin Blacklist next.
It turn to be that 190.59.42.168 is a PC somewhere infected and sending Spam. I used nslookup command as shown below which shows Dynamic IP from Trinidad and Tobago Islands, South America; most probably home user.
root@node:~# nslookup 190.59.42.168 Server: 8.8.4.4 Address: 8.8.4.4 Non-authoritative answer: 168.42.59.190.in-addr.arpa name = 190-59-42-168.dynamic.tstt.net.tt. Authoritative answers can be found from:
Remember, that you only need the following netstat commands if you suspect that your VPS is slow which might be under heavy type of Attack, or if you wanted to spot and block Bad Repeater IP Address that still not known by the Global Blacklists resources links.
Subject Related
Building Professional Web Hosting Solution
Blacklist and Whitelist using IPtables and IPset
- Listing and Tracking Suspicious Bad IP Addresses
- Building Public and Private IPtables Blacklists
- Building Public and Private IPtables Whitelists
- Building Public and Private IPset Blacklists
- Building Public and Private IPset Whitelists
LEAVE A COMMENT