Guardian ban - permanent

Questions to IPFire Addons.
Post Reply
dcolhoun
Posts: 6
Joined: February 21st, 2017, 10:51 am

Guardian ban - permanent

Post by dcolhoun » February 23rd, 2017, 5:37 pm

Is there a way to make the guardian bans permanent?

bloater99
Posts: 482
Joined: October 13th, 2014, 3:47 pm

Re: Guardian ban - permanent

Post by bloater99 » February 23rd, 2017, 7:11 pm

You can increase the block time on the Guardian page. I don't know how high a value it will accept though. I'd imagine 10 yrs would be the equivalent of "permanent" for you, and that number is 315532800 seconds. You could certainly try that and see what happens.

May I ask why, though? Surely someone that tries to get in and is blocked for 24 hrs will have better things to do and move on to easier targets. Besides, if they do try again on hour 25, they just get blocked for another 24 hrs.
Image

Image

dcolhoun
Posts: 6
Joined: February 21st, 2017, 10:51 am

Re: Guardian ban - permanent

Post by dcolhoun » February 24th, 2017, 5:21 am

There are a couple of addresses that keep trying no matter how many times they get blocked. So I thought I would just ban them forever

User avatar
twilson
Posts: 457
Joined: October 31st, 2014, 9:26 am
Location: Germany

Re: Guardian ban - permanent

Post by twilson » February 28th, 2017, 10:40 am

Hello,

how many IP addresses do you want to block permanently? Which ones are they?

One solution might be:
(a) Set up a new host group containing all the IP addresses you want to block.
(b) Create a new firewall rule with Source = The group you created in the first step, Destination = Any, Protocol = Any and Action = DROP. Put it on top of your existing rules so there is no other rule (e.g. port forwarding) which might allow network traffic coming from these IPs.
(c) Hit "Apply" and you're done.

As you can see, this solution does not scale very good. In case you have more than ~ 25 IPs, it becomes unpleasant to enter all the adresses manually. But depending on how known the adresses are, there might be another way. Is it possible for you to post them here?

Best regards,
Timmothy Wilson

kpratte
Posts: 11
Joined: March 24th, 2015, 6:19 pm

Re: Guardian ban - permanent

Post by kpratte » February 28th, 2017, 9:53 pm

I just finished up doing something a little more elegant. Here is what I did:

1) Create/update /etc/sysconfig/firewall.local

Code: Select all

#!/bin/sh
# Used for private firewall rules

# See how we were called.

BLACKLIST=`cat /etc/sysconfig/blacklist`
#IFS=$'\n'
case "$1" in
  start)
        ## add your 'start' rules here
        iptables -F CUSTOMINPUT
        iptables -F CUSTOMOUTPUT
 echo "dropping CUSTOMINPUT..."
        for black in $BLACKLIST; do
                 iptables -A CUSTOMINPUT -s $black -j DROP
        done
        echo "dropping CUSTOMOUTPUT..."
        for black2 in $BLACKLIST; do
                 iptables -A CUSTOMOUTPUT -d $black2 -j DROP
        done
        ;;
  stop)
        ## add your 'stop' rules here
        iptables -F CUSTOMINPUT
        iptables -F CUSTOMOUTPUT
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac
2) Create /etc/fcron.hourly/fail2ban.sh
3) chmod 755 /etc/fcron.hourly/fail2ban.sh

Code: Select all

#!/bin/bash

iptables -vnL GUARDIAN | sed 's/\s\+/ /g' | grep -v Chain | grep -v pkts | cut -d' ' -f9 > /etc/sysconfig/blacklist.tmp
cat /etc/sysconfig/blacklist /etc/sysconfig/blacklist.tmp | sort | uniq > /etc/sysconfig/blacklist
So, what will happen is that once a hour it will dump the guardian iptable, extract the IP addresses, sort them, and give you only the unique ones. Since it runs hourly, there will be duplicates everyday. On reboot or firewall rule change, the IPs will get loaded into the CUSTOMINPUT and CUSTOMOUTPUT iptables and be blocked.

- Ken
Image

dcolhoun
Posts: 6
Joined: February 21st, 2017, 10:51 am

Re: Guardian ban - permanent

Post by dcolhoun » March 22nd, 2017, 12:18 pm

Thanks for the excellent suggestions. Will give it a try

datamorgana
Posts: 54
Joined: May 16th, 2014, 7:51 am

Re: Guardian ban - permanent

Post by datamorgana » March 22nd, 2017, 1:06 pm

Personally I think that permanent blocks are not that effective since attackers usually come from sites with dynamic source IP addresses like xDSL, Cable or Cloud systems and can easily change their address while the attacks remain the same. Blocking Amazon AWS source IP addresses for instance could have a negative side effect on other services that might have moved to a source IP that maybe was used by an attacker some months ago. Makes you wondering why some service or site doesn't work all of a sudden.

Just my 2 cents...

dcolhoun
Posts: 6
Joined: February 21st, 2017, 10:51 am

Re: Guardian ban - permanent

Post by dcolhoun » April 1st, 2017, 5:30 am

@datamorgana I think that is a valid point - even if the chances are small

Post Reply