[PLUG] Quick & dirty IP blocking

JP Vossen on 2 Feb 2012 20:53:24 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Quick & dirty IP blocking

From: JP Vossen <jp@jpsdomain.org>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: [PLUG] Quick & dirty IP blocking
Date: Thu, 02 Feb 2012 23:53:18 -0500
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111108 Thunderbird/3.1.16

Today, I had occasion to want to block a couple of IPs from getting to aLinux server. There are a bunch of ways to do that, of course, but fromthe server itself, iptables and TCP Wrappers come to mind. But Ilearned about a new one I'd never have thought of that works great.


iptables
Pro:
	Works for everything, powerful, flexible,
	can limit connection attempts
Con:
	Non-trivial setup, potential to block yourself out

TCP Wrappers
Pro:
	Pretty simple
Con:
	Only works for some things that honor it,
	potential to block yourself out

Other notable:

Fail2Ban and DenyHosts both automate blocking using either iptables orTCP Wrappers.



But then I found 'ip route add blackhole ...'
http://en.wikipedia.org/wiki/Nullroute

Pro:
	Probably already installed, trivial to use,
	less overhead than iptables, unlikely to lock yourself out,
	does not survive a reboot
Con:
	Does not survive a reboot

I don't want to automate it, though that would be trivial if I change mymind. The server is question is *supposed* to be wide open and onlyruns things that need to be wide open, so iptables is overkill. I'm not100% sure the daemon I wanted to block from those IPs honors TCPWrappers. And I wanted a really simple solution I wouldn't screw up andlock myself out of my remote server.


'ip route add blackhole 192.168.192.0/24' and done...  Pretty cool.

In less that 5 minutes I had a trivial script to block the addresses,and had added that to /etc/rc.local, after testing, so it will survive areboot. I'm sure there's a better, ifcfg-related place to put it, butthis worked for me. Unlike iptables or (sort-of) TCP Wrappers, it'spretty hard to lock yourself out by goofing up the config unless youblock the address or net you are coming from. So this was perfect forwhat I wanted. YMMV.

Note: I tested first on a VM, but when going live you can always write aturn-it-on and a turn-it-off script and do something like the followinguntested snippet:

	nohup ( ./turn-it-on ; sleep 60 ; ./turn-it-off )


Anyway, maybe a handy trick for your toolbox,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Quick & dirty IP blocking
  - From: sean finney <seanius@seanius.net>
- Re: [PLUG] Quick & dirty IP blocking
  - From: Joe Terranova <joeterranova@gmail.com>

Prev by Date: [PLUG] Glances
Next by Date: Re: [PLUG] Quick & dirty IP blocking
Previous by thread: [PLUG] Glances
Next by thread: Re: [PLUG] Quick & dirty IP blocking
Index(es):
- Date
- Thread