ipset and shorewall

Discussion in 'Linux Networking' started by William Unruh, Oct 16, 2015.

  1. I want to set up a dynamic ssh firewall blocking in order to stop ssh
    attacks and because openssh is abandoning tcpwrapper.

    I set up an ipset setname, sshdeny, in order to use it in shorewall. I
    also want to save and restore the addresses to be blocked across a
    shutdown of shorewall. But I am having trouble reading the addresses
    back in to shorewall and ipset.

    I put an
    ipset save sshdeny -file /etc/shorewall/sshdeny into the stop file

    and tried to put and ipset restore -file /etc/shorewall/sshdeny
    into the start file. But shorewall does not restart-- it says that set
    does not exist and shuts down. Nowhere I put the ipset restore seems not
    to work.

    Here is the situation I put in only the lines which I think have
    relevance.

    zones
    sshd:net ipv4

    (net is the default external network)

    interfaces
    - enp+ detect


    hosts
    net enp+:0.0.0.0/0 -
    sshd enp+:+sshdeny

    rules
    DROP sshd fw tcp,udp -


    But this does not work. When I do
    shorewall start
    I get errors and shorewall stops again.

    .....
    Processing /etc/shorewall/init ...
    Processing /etc/shorewall/tcclear ...
    Setting up Route Filtering...
    Setting up Martian Logging...
    Setting up Proxy ARP...
    Preparing iptables-restore input...
    Running /sbin/iptables-restore...
    iptables-restore v1.4.21: Set sshdeny doesn't exist.

    Error occurred at line: 137
    Try `iptables-restore -h' or 'iptables-restore --help' for more
    information.
    ERROR: iptables-restore Failed. Input is in
    /var/lib/shorewall/.iptables-restore-input
    Processing /etc/shorewall/stop ...
    .........



    files in /etc/shorewall:

    stop
    ---------
    ipset save sshdeny -file /etc/shorewall/sshdeny
    ================

    start
    -------------------
    ipset restore -file /etc/shorewall/sshdeny
    ================

    I get the same problem if I put that last line into the file init.

    However if I put
    ipset create sshdeny hash:ip timeout 800000
    into init, I do not get that error, but now I cannot restore the files,
    Whereever I put ipset restore.... I get that the set already exists, and
    I cannot recover the old addresses into sshdeny.


    Surely this is possible to do.
     
    William Unruh, Oct 16, 2015
    #1
    1. Advertisements

  2. William Unruh

    Bit Twister Guest


    Off hand I did not see a whole lot of "dyanmic" whatever
    keywords/options in your configuration files. :(

    Might I suggest http://www.shorewall.net/Dynamic.html
     
    Bit Twister, Oct 16, 2015
    #2
    1. Advertisements

  3. Teh "dynamic" occurs externally, when my script alters the sshdeny set
    with ipset depending on the reading of the log files for sshd. Since
    sshd is needed from around the world, I cannot just deny everyone. And
    since denial depends on the site having tried to crack root's or other
    system passwords, it needs a bit more data to determine whether this is
    an attack or is just normal "I forgot my password" behaviour. Thus my
    script looks through the auth.log, determines that some IP is trying to
    crack mysystem, and then uses ipset to alter the sshdeny set via ipset.
    That dynamic alteration feeds into iptables immediately, and denies that
    site from further attacks.

    By dynamic I meant that I could add and remove ip addresses while the
    firewall was running and have them implimented immediately without
    having to restart the firewall.
     
    William Unruh, Oct 16, 2015
    #3
  4. William Unruh

    Bit Twister Guest

    FRAP, I can only guess you did not bother to ready the given url.

    I can see I need to kill both cups and shorewall threads.
     
    Bit Twister, Oct 16, 2015
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.