Emerging Threats and Geo-Protection (Ubuntu)

Facebook
Google+
https://www.neblink.net/emerging-threats/
Twitter

This will configure the IPtables firewall with an IP blocklist for specific countries and an IP blocklist for IPs and IP netblocks that are known threats. This uses the IP Sets utility for faster table updates to the blocklist and faster matching in the firewall.

Install ufw and ipset utility

apt -y install ufw ipset libnet-ip-perl


Download script to aggregate CIDR address blocks

wget -O /usr/local/bin/ip-aggregate.pl https://www.neblink.net/blocklist/linux-scripts/ip-aggregate.pl
chmod +rx /usr/local/bin/ip-aggregate.pl


Country Blocking

Download script for loading IP tables of blocked countries. Update the ISO= line with the 2-letter (lowercase) ISO country code for the countries you wish to block. See IPdeny IP country blocks

wget -O /usr/local/bin/country-block.sh https://www.neblink.net/blocklist/linux-scripts/country-block.sh
chmod +rx /usr/local/bin/country-block.sh

Run Script

/usr/local/bin/country-block.sh

Create scheduled task to update blocklist weekly

(crontab -l ; echo "@weekly /usr/local/bin/country-block.sh" )| crontab -


Emerging Threats Blocklist

Download script for loading IP table of known threats.

wget -O /usr/local/bin/emerging-threats-update.sh https://www.neblink.net/blocklist/linux-scripts/emerging-threats-update.sh
chmod +rx /usr/local/bin/emerging-threats-update.sh

Run Script

/usr/local/bin/emerging-threats-update.sh

Create scheduled task to update threat list daily

(crontab -l ; echo "@daily /usr/local/bin/emerging-threats-update.sh" )| crontab -


Firewall Setup

Create firewall rules to only allow ssh (tcp/22) and webmin (tcp/10000) and block defined block lists.

cat > /etc/iptables.up.rules <<EOF
*filter
:OUTPUT ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-N GEODROP
-A GEODROP -j LOG --log-level info --log-prefix "GEO DROP: "
-A GEODROP -j DROP
-N ETDROP
-A ETDROP -j LOG --log-level info --log-prefix "THREAT DROP: "
-A ETDROP -j DROP
-A INPUT -p tcp -m set --match-set geo-block src -j GEODROP
-A INPUT -p tcp -m set --match-set threat-ip src -j ETDROP
-A INPUT -p tcp -m set --match-set threat-net src -j ETDROP
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
COMMIT
EOF

Start Firewall

ufw disable
iptables -F
iptables -X
ufw --force reset
iptables-restore < /etc/iptables.up.rules
ufw --force enable

Create boot script to run blocklist update scripts and load firewall rules

cat > /etc/rc.local <<EOF
#!/bin/sh -e
#
# rc.local
#
/usr/local/bin/emerging-threats-update.sh
/usr/local/bin/country-block.sh
ufw disable
iptables -F
iptables -X
ufw --force reset
iptables-restore < /etc/iptables.up.rules
ufw --force enable
exit 0
EOF


Suggested Next Step

If you want to setup an Internet Web Server, I would suggest the Virtualmin Internet Server. Otherwise, install the Webmin System Administration Console.

Facebook
Google+
https://www.neblink.net/emerging-threats/
Twitter