JP Vossen on 2 Feb 2012 20:53:24 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Quick & dirty IP blocking


Today, I had occasion to want to block a couple of IPs from getting to a Linux server. There are a bunch of ways to do that, of course, but from the server itself, iptables and TCP Wrappers come to mind. But I learned about a new one I'd never have thought of that works great.

iptables
Pro:
	Works for everything, powerful, flexible,
	can limit connection attempts
Con:
	Non-trivial setup, potential to block yourself out

TCP Wrappers
Pro:
	Pretty simple
Con:
	Only works for some things that honor it,
	potential to block yourself out

Other notable:
Fail2Ban and DenyHosts both automate blocking using either iptables or TCP Wrappers.


But then I found 'ip route add blackhole ...'
http://en.wikipedia.org/wiki/Nullroute

Pro:
	Probably already installed, trivial to use,
	less overhead than iptables, unlikely to lock yourself out,
	does not survive a reboot
Con:
	Does not survive a reboot


I don't want to automate it, though that would be trivial if I change my mind. The server is question is *supposed* to be wide open and only runs things that need to be wide open, so iptables is overkill. I'm not 100% sure the daemon I wanted to block from those IPs honors TCP Wrappers. And I wanted a really simple solution I wouldn't screw up and lock myself out of my remote server.

'ip route add blackhole 192.168.192.0/24' and done...  Pretty cool.

In less that 5 minutes I had a trivial script to block the addresses, and had added that to /etc/rc.local, after testing, so it will survive a reboot. I'm sure there's a better, ifcfg-related place to put it, but this worked for me. Unlike iptables or (sort-of) TCP Wrappers, it's pretty hard to lock yourself out by goofing up the config unless you block the address or net you are coming from. So this was perfect for what I wanted. YMMV.


Note: I tested first on a VM, but when going live you can always write a turn-it-on and a turn-it-off script and do something like the following untested snippet:
	nohup ( ./turn-it-on ; sleep 60 ; ./turn-it-off )


Anyway, maybe a handy trick for your toolbox,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug