Message: Linux, MIS, and Automatic IP Blocking (A Solution)

Home Message Groups Fidonet Discussion and chat about the Mystic BBSReading Messages

Who's Online Login New User Message Groups

Main DOVE-Net BattlNet GatorNet Fidonet ILink DoRENET League 10 CombatNet

File Libraries

Subject:

Linux, MIS, and Automatic IP Blocking (A Solution)

Date:

Mon Jul 01 2024 10:51 am

From:

Scott Street

To:

All

Hello fellow Mystic Sysops,

I'm a recent convert.  I've been running Mystic for about a month now and
finally connected to Fidonet (again).  What sold me on Mystic was the servers
control and the automatic IP blocking;  in the last few weeks of having telnet
and ssh ports available to the world; my deny list has reached nearly 1700
entries.  I'm sure your systems are even greater.

However, 'iptables' requires root privileges, and I didn't want to create a
security issue (perceived or actual) by marking iptables as SUID or creating a
SUID script that the mystic account could run.  So I came up with this solution.

-- MIS Event --
Type : IP Blocked
Shell: /home/mystic/mystic/mystic-firewall-add.sh @IP@
(and so on)


-/home/mystic/mystic/mystic-firewall-add.sh-
#!/bin/bash
logger "Mystic Firewall: queueing ${1}"
echo $1 | cat >> /home/mystic/mystic/semaphore/iptables.add
-eof-


Now to make the root priviledges work, I add a cron job that runs every 5
minutes, collecting the new addresses queued into the iptables.add, and run
iptables to actually block them.
-cron entry-
# Mystic Firewall IP Blocker
*/5 * * * * /root/jobs/checkMysticFW.sh >/dev/null
-eof-

-/root/jobs/checkMysticFW.sh-
#!/bin/bash
if [ -f /home/mystic/mystic/semaphore/iptables.add ]; then
  IPS=`cat /home/mystic/mystic/semaphore/iptables.add`
  rm /home/mystic/mystic/semphore/iptables.add

  for IP in $IPS
  do
    logger "Firewall update: Adding $IP to INPUT DROP"
    /usr/sbin/iptables -A INPUT -s $IP DROP
  done

  /usr/sbin/netfilter-persistent save
  RS=$?
  if [ $RS -eq 0 ]; then
    logger "Firewall Rules saved"
  else
    logger "**WARNING** Firewall Rules failed to save - Res: $RS"
  fi
fi
-eof-

So the basic flow of this process.
1) MIS decides to block a given IP because it violates the connection attempt
rules set in the individual server configuration table.
2) MIS executes the "IP Blocked" event, which adds the IP to the list
3) Every 5 mins, the cron job runs and adds all the queued IPs to the iptables
input filter, and after the new list of IPs have been added, makes them
persistent across restarts with netfilter-persistent.

You can track the activity of this process using your system log - journalctl
for me, I'm on Debian 12 (bookworm). 

I hope you find this useful,  especially those of you running some flavor of
Linux.  Also: some filename and directories have been changed from my actual to
simplify this message.

Scott Street (1:266/625@fidonet)
Netmail private questions are welcome, and of course Echomail replies as well.

--- Mystic BBS v1.12 A48 (Linux/64)
 * Origin: <=-{ The Digital Post }-=> (1:266/625)


Replies: Re: Linux, MIS, and Automatic IP Blocking (A Solution) (Christian Sacks)

Section One BBS