Search the Community

net-Shield An Easy and Simple Anti-DDoS solution for VPS,Dedicated Servers and IoT devices based on iptables An Easy and Simple Anti-DDoS solution for VPS,Dedicated Servers and IoT devices based on iptables. Requirements Linux System with python, iptables Nginx (Will be installed automatically by install.sh) Quickstart Running as a standalone software (No install.sh required) via DryRun option (-dry) to only check connections agains ip/netsets and do not touch iptables firewall. python nshield-main.py -dry For complete install: cd /home/ && git clone https://github.com/fnzv/net-Shield.git && bash net-Shield/install.sh WARNING: This script will replace all your iptables rules and installs Nginx so take that into account Proxy Domains To configure proxydomains you need to enable the option on /etc/nshield/nshield.con (nshield_proxy: 1) and be sure that the proxydomain list (/etc/nshield/proxydomain ) is following this format: mysite.com 123.123.123.123 example.com 111.111.111.111 Usage The above quickstart/installation script will install python if not present and download all the repo with the example config files, after that will be executed a bash script to setup some settings and a cron that will run every 30 minutes to check connections against common ipsets. You can find example config files under examples folder. HTTPS Manually verification is executed with this command under the repository directory: python nshield-main.py -ssl The python script after reading the config will prompt you to insert an email address (For Let's Encrypt) and change your domain DNS to the nShield server for SSL DNS Challenge confirmation. Example: I Will generate SSL certs for sami.pw with Let's Encrypt DNS challenge Insert your email address? (Used for cert Expiration and Let's Encrypt TOS agreement samiii@protonmail.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Renewing an existing certificate Performing the following challenges: dns-01 challenge for sami.pw ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.sami.pw with the following value: wFyeYk4yl-BERO6pKnMUA5EqwawUri5XnlD2-xjOAUk Once this is deployed, ------------------------------------------------------------------------------- Press Enter to Continue Waiting for verification... Cleaning up challenges Now your domain is verified and a SSL cert is issued to Nginx configuration and you can change your A record to this server. How it works Basically this python script is set by default to run every 30 minutes and check the config file to execute these operations: Get latest Bot,Spammers,Bad IP/Net reputation lists and blocks if those Bad guys are attacking your server (Thank you FireHol http://iplists.firehol.org/ ) Enables basic Anti-DDoS methods to deny unwanted/malicious traffic Rate limits when under attack Allows HTTP(S) Proxying to protect your site with an external proxy/server (You need to manually run SSL Verification first time) Demo https://asciinema.org/a/elow8qggzb7q6durjpbxsmk6r Download: net-Shield-master.zip Tested on Ubuntu 16.04 and 14.04 LTS Source: https://github.com/fnzv/net-Shield

Apparently no vulnerability is too small, no application too obscure, to escape a hacker’s notice. A honeypot run by Trustwave’s SpiderLabs research team recently snared an automated attack targeting users of the open source Rejetto HTTP File Server (Rejetto HFS). Someone was trying to exploit a vulnerability—which has since been patched—and install the well-known distributed denial-of-service tool IptabLes (unrelated to the Linux tool), also known as IptabLex. Rejetto HFS has been downloaded more than 24,000 times in the last seven days and according to the project’s website has an estimated 12,500 users and is used as a file-sharing application as well as a webserver. It also runs on Wine, the Windows emulator for Linux systems. “This is just one snapshot, one request. This is one example to extrapolate and take a higher level view; there’s likely a lot more activity out there,” said Ryan Barnett, SpiderLabs lead researcher. It’s likely the attackers have simply incorporated this exploit into a larger attack platform, Barnett said. “That’s the value of honeypots, spotting automated tools scanning the Internet shot-gunning exploits, and hoping it works,” Barnett said. The exploit, sent from a possible compromised IP address in China, was targeting CVE-2014-6287, a remote code execution bug in Rejetto. Specifically, the vulnerability affects Rejetto versions prior to 2.3c; the vulnerability is in the findMacroMarker function. Barnett said the exploit relies on a null byte character to trigger the attack code, which is written in Microsoft VBScript. Once the exploit executes, it tries to connect to a pair of IP addresses hosted in Paris (123[.]108.109.100 and 178[.]33.196.164) on three ports: 80 (HTTP); 53 (DNS); and 443 (HTTPS). Barnett said only 178[.]33.196.164 remains online and is a malware repository responding to XML HTTP Requests (XHR) from the exploit. A file called getsetup.exe is sent to the compromised server along with another executable, ko.exe, which drops IptabLes. Barnett said detection rates are high for the hash of getsetup.exe. IptabLes is a troublesome DDoS tool, capable of synflood and DNSflood attacks. It installs itself into boot for persistence, according to the SpiderLabs research, which added that IptabLes has been widely reported targeting Linux and Unix servers. The vulnerability being targeted was submitted last September. “It’s not very sophisticated, and a lot of times these types of attacks don’t have to be,” Barnett said. “These guys are concerned with scale because they’re running botnets. What makes botnets so nice to the criminals running them is that they don’t care to be stealthy. They can send attacks blindly, and if they’re shut down, they just move on.” Source

O regula simpla cu care puteti face logging sau puteti bloca shellshock. iptables -I INPUT -p tcp -m string --algo bm --string "() {" --dport 80 -j LOG --log-prefix "shellshock rule 1: " Cum apare ? pluto:~# dmesg [12526689.726816] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=192.185.82.92 DST=xxx.xxx.88.5 LEN=287 TOS=0x00 PREC=0x00 TTL=45 ID=21610 DF PROTO=TCP SPT=39893 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 [12573352.452710] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=108.163.187.146 DST=xxx.xxx.88.10 LEN=421 TOS=0x00 PREC=0x00 TTL=48 ID=25760 DF PROTO=TCP SPT=42647 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 [12573362.110534] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=184.106.196.169 DST=xxx.xxx.88.7 LEN=419 TOS=0x00 PREC=0x00 TTL=48 ID=55433 DF PROTO=TCP SPT=40201 DPT=80 WINDOW=183 RES=0x00 ACK PSH URGP=0 [12573364.514235] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=110.44.30.204 DST=xxx.xxx.88.6 LEN=429 TOS=0x00 PREC=0x00 TTL=40 ID=20190 DF PROTO=TCP SPT=38820 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12573369.889964] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=194.28.86.63 DST=xxx.xxx.88.5 LEN=420 TOS=0x00 PREC=0x00 TTL=56 ID=32172 DF PROTO=TCP SPT=48732 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 [12576046.844450] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=72.249.151.145 DST=xxx.xxx.88.5 LEN=428 TOS=0x00 PREC=0x00 TTL=48 ID=11314 DF PROTO=TCP SPT=46735 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 [12581893.832430] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=89.47.247.48 DST=xxx.xxx.88.4 LEN=427 TOS=0x00 PREC=0x00 TTL=56 ID=47806 DF PROTO=TCP SPT=40027 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582722.880301] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=394 TOS=0x00 PREC=0x00 TTL=51 ID=34666 DF PROTO=TCP SPT=45498 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582723.333809] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=397 TOS=0x00 PREC=0x00 TTL=51 ID=59992 DF PROTO=TCP SPT=45599 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582723.800026] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=370 TOS=0x00 PREC=0x00 TTL=51 ID=5234 DF PROTO=TCP SPT=45681 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582724.856256] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=367 TOS=0x00 PREC=0x00 TTL=51 ID=13614 DF PROTO=TCP SPT=45879 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582725.330168] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=379 TOS=0x00 PREC=0x00 TTL=51 ID=19157 DF PROTO=TCP SPT=45962 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582725.800422] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=397 TOS=0x00 PREC=0x00 TTL=51 ID=53517 DF PROTO=TCP SPT=46069 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582726.258118] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=370 TOS=0x00 PREC=0x00 TTL=51 ID=53738 DF PROTO=TCP SPT=46149 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582726.708889] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=367 TOS=0x00 PREC=0x00 TTL=51 ID=29443 DF PROTO=TCP SPT=46236 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12582822.019042] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=23.95.95.168 DST=xxx.xxx.88.8 LEN=426 TOS=0x00 PREC=0x00 TTL=45 ID=51576 DF PROTO=TCP SPT=47145 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 [12583500.543438] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=173.83.247.209 DST=xxx.xxx.88.6 LEN=304 TOS=0x00 PREC=0x00 TTL=54 ID=35104 DF PROTO=TCP SPT=57258 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12584394.167981] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=103.23.21.67 DST=xxx.xxx.88.5 LEN=427 TOS=0x00 PREC=0x00 TTL=45 ID=29985 DF PROTO=TCP SPT=44368 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 [12606520.929034] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=94.23.42.182 DST=xxx.xxx.88.7 LEN=419 TOS=0x00 PREC=0x00 TTL=58 ID=19046 DF PROTO=TCP SPT=36147 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 [12606529.908862] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=85.232.60.34 DST=xxx.xxx.88.5 LEN=420 TOS=0x00 PREC=0x00 TTL=51 ID=14367 DF PROTO=TCP SPT=49751 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12606541.611815] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=67.198.141.98 DST=xxx.xxx.88.6 LEN=429 TOS=0x00 PREC=0x00 TTL=51 ID=8906 DF PROTO=TCP SPT=33844 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 [12609706.584728] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=67.23.9.241 DST=xxx.xxx.88.5 LEN=428 TOS=0x00 PREC=0x00 TTL=45 ID=10222 DF PROTO=TCP SPT=43102 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0 [12616465.783127] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=67.23.9.241 DST=xxx.xxx.122.5 LEN=427 TOS=0x00 PREC=0x00 TTL=45 ID=24709 DF PROTO=TCP SPT=40671 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0 [12617580.394705] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=213.238.169.117 DST=xxx.xxx.88.8 LEN=426 TOS=0x00 PREC=0x00 TTL=47 ID=13535 DF PROTO=TCP SPT=58437 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0 [12619408.726456] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=202.181.246.66 DST=xxx.xxx.88.5 LEN=427 TOS=0x00 PREC=0x00 TTL=41 ID=13254 DF PROTO=TCP SPT=26414 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0 [12659626.759636] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=192.254.250.180 DST=xxx.xxx.102.3 LEN=293 TOS=0x00 PREC=0x00 TTL=46 ID=61584 DF PROTO=TCP SPT=22274 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0 Note: - Am specificat doar port 80 iar regula este doar pentru logging. Se poate adauga una pentru logging si alta pentru reject/drop - Mai multe despre shellshock aici: http://en.wikipedia.org/wiki/Shellshock_(software_bug) - Mi-a venit ideea asta pentru ca multi sunt tentati sa foloseasca snort. Probabil stiti ca la reguli multe, snort consuma foarte multe resurse CPU

Pentru cine doreste sa blocheze prefixele de adrese ip listate la Spamhaus catre serverul de email (port 25), sau alte porturi: for i in `curl -s http://www.spamhaus.org/drop/drop.lasso |awk '{print $1}'| sed -rn '/([0-9]{1,3}\.){3}[0-9]{1,3}/p'` do iptables -I INPUT -p tcp -s $i --dport 25 -j REJECT --reject-with tcp-reset -m comment --comment "SPAMHAUS" done req: iptables, curl In caz ca nu se vede bine: http://sprunge.us/ThHZ

iptables is built on top of netfilter, the packet alteration framework for Linux 2.4.x and 2.6.x. It is a major rewrite of its predecessor ipchains, and is used to control packet filtering, Network Address Translation (masquerading, portforwarding, transparent proxying), and special effects such as packet mangling. Changes: This release adds support for the Day Transition Ignore option in xt_time. Download Linux IPTables Firewall 1.4.17 ? Packet Storm

Mai jos puteti vedea un firewall minimal pentru Linux, care face urmatoarele lucruri: - Seteaza politica default cu drop (nu accepta niciun pachet, atat pe INPUT, FORWARD cat si pe OUTPUT). - Blocheaza pachetele TCP cu flag-uri invalide. - Blocheaza OS Fingerprint (detectarea sistemului de operare cu nmap sau alte tool-uri pentru os-fingerprint) - Permite icmp echo requests (ping) catre host. - Permite pachetele UDP venite de la nameserverele setate in "/etc/resolv.conf" (Source port 53) - Accepta conexiuni ssh doar de la surse bine stabilite (exemplu: de la office / home) . In acest fel suntem siguri ca daca ne stie cineva parola de la un utilizator, nu va putea intra. Este o buna masura de precautie impotriva scanning-ului. - Permite rularea serviciilor pe porturile standarde pentru: ftp, smtp, web, pop3 si https. Alte note: - EXTDEV reprezinta interfata externa de retea. - In sectiunea SECSHELL se pun adresele IP de unde dorim sa avem acces SSH. - NU folositi comanda "iptables -F" sau "iptables --flush"; politica default este DROP! (daca doriti sa scoateti firewall-ul din functiune, dati stop la el) - In sectiunea SERVICES sunt definite porturile pentru servicii: ftp, smtp, web, pop3 si https. - In acest exemplu minimal, nu exista reguli pe FORWARD. Daca serverul este folosit ca router, nu va functiona. Este necesar sa adaugati reguli pentru forward/nat - Nu folositi acest script inainte de a va da seama ce face exact, in special, nu folositi acest script pe servere la care nu aveti acces fizic, daca nu stiti ce face. - Scriptul se executa impreuna cu un argument: start, stop sau status. #!/bin/sh # Descriere: Firewall minimal pentru linux. ## -- Constante EXTDEV="eth0" SECSHELL="4.2.2.2 8.8.8.8 5.5.5.5" SERVICES="20 21 25 80 110 443" firewall_start () { echo "apply rules ...." ## -- Sterge orice regula prezenta iptables -F iptables -Z iptables -X iptables -F -t nat iptables -Z -t nat iptables -Z -t nat iptables -F -t mangle iptables -Z -t mangle iptables -X -t mangle ## -- Politica default iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP ## -- Permite trafic nelimitat pe localhost iptables -I INPUT -d 127.0.0.0/8 -j ACCEPT iptables -I OUTPUT -s 127.0.0.0/8 -j ACCEPT ## -- Accepta orice conexiune care este stabilizata in momentul initializarii firewall-ului. iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT ## -- Permite orice pachet catre OUT. iptables -I OUTPUT -p all -j ACCEPT ## -- Accepta sursele definite in SECSHELL pentru a se conecta la serviciul SSH. for i in $SECSHELL;do iptables -I INPUT -p tcp -s $i --dport 22 -j ACCEPT;done ## -- Accepta orice icmp echo (ping) iptables -I INPUT -p icmp --icmp-type 8 -j ACCEPT ## -- Blocheaza pachetele invalide iptables -I INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -I INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -I INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -I INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -I INPUT -p tcp --tcp-flags SYN,ACK NONE -j DROP iptables -I INPUT -p tcp --tcp-flags RST,FIN RST,FIN -j DROP iptables -I INPUT -p tcp --tcp-flags SYN,URG SYN,URG -j DROP iptables -I INPUT -p tcp --tcp-flags ALL SYN,PSH -j DROP iptables -I INPUT -p tcp --tcp-flags ALL SYN,ACK,PSH -j DROP ## -- Accepta orice port listat in SERVICES (pe tcp) for i in $SERVICES;do iptables -I INPUT -p tcp --dport $i -j ACCEPT;done ## -- Accepta orice pachet de la DNS-uri (port sursa 53) - doar cele listate in "/etc/resolv.conf" cat /etc/resolv.conf | \ awk '/^nameserver/ {print $2}' | \ xargs -n1 iptables -I INPUT -p udp --sport 53 -j ACCEPT -s echo "done, fw active." return 0 } firewall_status () { echo "fw status: " iptables -L -n -v return 0 } firewall_stop () { echo "ok. fw stop, clearing rules." iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F iptables -Z iptables -X iptables -F -t nat iptables -Z -t nat iptables -Z -t nat iptables -F -t mangle iptables -Z -t mangle iptables -X -t mangle return 0 } case "$1" in start) firewall_start ;; stop) firewall_stop ;; status) firewall_status ;; *) echo "Folosire: $0 {start|status|stop}" exit 1 esac exit 0 ------------------------------- Daca doriti sa puneti tutorialul pe un alt site, va rog sa specificati sursa: https://rstcenter.com/forum/46641-firewall-minimal-pentru-linux.rst "Avem a multumi"