Oct 24

Drop probe ip by iptables

By jason Shell Script No Comments »

Modify crontab

* * * * * root /home/cnscn/sh/ssh_scan_crontab.sh >/dev/null 2>&1

ssh_scan_crontab.sh script

  • $ cat /home/cnscn/sh/ssh_scan_crontab.sh
  • #!/bin/bash
  • # Author http://jabin.cublog.cn
  • # Modify cnscn http://cnscn2008.cublog.cn
  • # Modify xinyv
  •  
  • #set timezone
  • export LC_ALL=UTC
  •  
  • # gather 1 minutes log from secure,count and drop it by iptables
  • SCANNER=$(awk 'BEGIN{ tm=strftime("%b %e %H:%M",systime()-60);}  $0 ~ tm && /Failed password/ && /ssh2/ {print $(NF-3)}' /var/log/secure |sort|uniq -c |awk '{print $1"="$2;}')
  •  
  •  
  • for i in $SCANNER
  • do
  • echo $i
  •        # get fialure number
  •        NUM=`echo $i|awk -F= '{print $1}'`
  •  
  •        # get ip address
  •        IP=`echo $i|awk -F= '{print $2}'`
  •  
  •        # drop and log
  •        if [ $NUM -gt 5 ] && [ -z "`/sbin/iptables -vnL INPUT|grep $IP`" ]
  •        then
  •                /sbin/iptables -I INPUT -s $IP -j DROP
  •                echo "/sbin/iptables -I INPUT -s $IP -j DROP" >> /home/cnscn/sh/ssh_scan_iptables.sh
  •                logger -i -t "ssh_scan_crontab" -f /var/log/messages "$IP($NUM)..."
  •        fi
  • done
  • #End of Script
  •  
  •  
  • .start it when system up
  • $ cat myiptables.sh
  • #!/bin/bash
  • #chkconfig: 345 85 15
  • #description: my iptables rules, which can auto run when system start
  •  
  • # This is a script
  • # Edit by liwei, cnscn
  • # establish a static firewall
  •  
  • #network interface
  • interdevice="eth0"
  •  
  • #port
  • #21       ftp
  • #15022    sshd
  • #25       smtp
  • #53       named
  • #80       http
  • #110      pop3
  •  
  • #Allow Access port
  • Open_ports="21 20 22 80"
  •  
  • #
  • Allow_ports="21 20 80 "
  •  
  • #clean old rules
  • iptables -F
  • iptables -X
  • iptables -t nat -F
  • iptables -t nat -X
  •  
  • #Add rule for drop bad ip
  • /home/cnscn/sh/ssh_scan_iptables.sh
  •  
  • #Allow My ip
  • /sbin/iptables -I INPUT -s 111.127.xxx.xxx -j ACCEPT
  •  
  • for eths in $interdevice ; do
  •  
  •   #
  •   #iptables -A INPUT -i ! $eths -j ACCEPT
  •  
  •   #Allow all access’s port(--dport)
  •   for Port in $Open_ports ; do
  •     iptables -A INPUT -i $eths -p tcp --dport $Port -j ACCEPT
  •     iptables -A INPUT -i $eths -p udp --dport $Port -j ACCEPT
  •   done
  •  
  •   #Deny spoof
  •   iptables -A INPUT -i $eths -p tcp -j REJECT --reject-with tcp-reset
  •   iptables -A INPUT -i $eths -p udp -j REJECT --reject-with icmp-port-unreachable
  • done
  •  
  • #forbidden ping
  • echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  •  
  • #End of Script

    • Tagged with:
    Mar 02

    Iptables ip_conntrack table set-up and tunning for high load UDP traffic

    By jason Security Tools No Comments »

    If you run a busy DNS server or any other service that uses a lot of UDP traffic, it’s possible that your default Iptable conntrack sessions (connection tracking entries in kernel memory) settings are too low and netfilter is unable to track all your sessions.

    The error is usually something like this:

    Sep 10 12:53:44 hostname01 kernel: ip_conntrack: table full, dropping packet.

    You need to tune sysctl net.ipv4.ip_conntrack_max value, let’s say increase it twice or more times and see if you still get the error messages on the console or syslog.

    Depending on your OS, the formula for calculating the maximum number of conntrack sessions your box can handle is as follows:

    The size of each session record really depends on the kernel config and many other compile options. For 2.6.* kernels it is around 300 bytes.

    You can also easily check out the current usage of connection tracking

    wc -l /proc/net/ip_conntrack

    Default sysctl settings for Red Hat Enterprise boxes, possible the same applies for Fedora and Centos.

    net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3
    net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0
    net.ipv4.netfilter.ip_conntrack_tcp_loose = 3
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300
    net.ipv4.netfilter.ip_conntrack_log_invalid = 0
    net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
    net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30
    net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
    net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
    net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
    net.ipv4.netfilter.ip_conntrack_checksum = 1
    net.ipv4.netfilter.ip_conntrack_buckets = 8192
    net.ipv4.netfilter.ip_conntrack_count = 18988
    net.ipv4.netfilter.ip_conntrack_max = 34576

    You can decrease the net.ipv4.netfilter.ip_conntrack_tcp_timeout_established, by half, at least.

    sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=216000

    I hope this helps you with your Linux server network stack tunning. Good luck!

    Tagged with:
    preload preload preload