Whitelist
Important IP Addresses to Whitelist
The following are important IP Addresses that need to be whitelisted. When adding this to an IPTables chain they need to be inserted after you have added your blacklist ipsets or appended as the first items in your chain.
MXToolbox:
This is very useful for ensuring you are RFC Compliant when setting up an email server click here for the link to this information at mxtoolbox.com
- US-EAST-1A: 44.194.168.193/32
- US-EAST-1B: 52.55.244.91/32
- US-EAST-1C: 18.205.72.90/32
- US-EAST-1D: 18.209.86.113/32
LetsEncrypt:
This is used by many so thought I should add the IP Addresses that definately need to be added to run “certbot renew”. This list does not always work as LetsEncrypt uses a number of Amazon Web Services IP addresses when verifying a certificate. Since this is the case if you are using the RBL here (for now only the WordPress firewall) you can drop the ipset US-WA.Seattle using the command:
~]# iptables -D INPUT -m set –match-set US-WA.Seattle src -j DROP
However I will be adding a bash script to this site for doing a LetsEncrypt update.
References
Brain Nutrition
Digital Ocean IP/CIDR in CSV
ipset with firewalld
ipset man page
iptables man page
Microsoft Azure IP Blocks
networksdb.io
WordPress Firewall
This is a free firewall you can implement that is updated regularly. This adds IP CIDRs to ipsets then updates them on IPTables. To use this script setup as a CRON job and it will update when an update is needed. My recommendation is to put this in its own directory as it will download a file for each ipset.
Securing LAMP
Simple script to build a base firewall and Secure LAMP Servers
This script is for securing LAMP servers. It also provides ssh access to specific IP/CIDR addresses and allows only access for ftp, http and https protocols. It also gets set to run at startup. The ipset data is run from a Python application that monitors log and login activity on assorted webservers. To install this setup from the command line on your Linux Server (must be done with root level account):
~]# wget http://dailyblacklist.com/scripts/secure_lamp.sh
~]# chmod +x secure_lamp.sh # Makes file executable
~]# ./secure_lamp.shDokoddo
The way of Walking Alone
1.) Do not oppose the Ways of the world
2.) Do not seek pleasure for its own sake
3.) Do not, under any circumstances, depend on a partial feeling
4.) Think lightly of yourself and deeply of the world
5.) Be detached from desire your whole life long
6.) Do not regret your past deeds
7.) Never be jealous of others, good or bad
8.) Never let yourself be saddened by a separation
9.) Hold no grudges against yourself or others
10.) Steer clear of the path to attachment
11.) In all things, do not have any preferences.
12.) Have no luxury in your house
13.) Pursue no delicacies for yourself
14.) Do not hold on to possessions you no longer need
15.) Have trust in yourself and avoid superstitious beliefs
16.) Do not concern yourself with superfluous trappings, only the tools of your trade
17.) Do not shun death in the Way
18.) Do not seek goods or fiefs in your old age
19.) Respect Buddha and the gods but ask them for nothing
20.) Sacrifice your life before you sacrifice your name
21.) Never stray from the Way of strategy
— Myamoto Musashi 1584-1645
IPTables
IPTables is the first focus for demonstrating how to identify and eliminate IP blocks to protect a server, protocol or ports. Although there is much ado about firewalld my preference is IPTables for this reason:
I can add, remove or modify the firewall without ever having to restart nftables or iptables. This is the primary reason. From my perspective the general reason for the firewalld firewall is that it is easier for someone less knowledgeable about networking, TCP/IP and protocols perform basic firewall functions. But that is just my perspective after having learned Firewalld, IPTables and Windows Firewall with Advanced Security IPTables is my preferred tool for firewall security. Rocky Linux is my preferred Enterprise Server operating system and became so shortly after IBM purchased CentOS. Debian flavored operating systems were always the Desktop version of Linux and referred to as “The Hackers version of Linux” by my late mentor. Indeed it has taken off through Ubuntu which is based (or was) based out of the UK and to me truly does still live up to the title “Hackers version of Linux” as that is what Kali is built on if anyone has ever heard of that. It is a pretty slick tool though and I run it on occasion as a VPS on my local network with VirtualBox.
Blacklisting Countries
On Rocky/RedHat Linux
Blacklisting countries relatively easily using the bash script created below. It is however important to consider where blacklisting countries is in the iptables chain. At present this is only setup using bash for IPTables however a version for Windows Firewall with Advanced Security using Powershell is in the works. After that I will get one up for all you folks moving to Firewalld. This script is dependent on https://ipdeny.com which is a free service that runs out of Amsterdam Nethrelands. It is also dependent on IPTables as it builds rule sets in ipset for each country.
Firewall Builds
Firewall and Blacklist Builds for Rocky/RedHat Linux
These builds have been tested only on Rocky Linux 9.x using VirtualBox locally and Windows Hyper-V remotely. Some of these scripts have also been tested on CentOS 7.9. Also, these scripts are dependent on IPTables as the wrapper for nftables and IPSet.
Country Blacklist – Blacklist selected or all countries currently only available for Rocky/RedHat Linux
Email Blacklist – Spammers and Login fishing.
WordPress – Login failures and form spammers
Base LAMP Firewall – Script to build a base firewall and start at boot. This script is also useful for setting up IPTables.
About
This is a project that is a different approach to security. While rkhunter, clamav, fail2ban are all very useful tools in securing a server it is very interesting to identify where all the nefarious activity is coming from and how it paints a picture of nefarious network traffic. It has three MySQL tables built off of data provided from Microsoft Azure, Digital Ocean and the Country IP Blocks provided by ipdeny.com out of Amsterdam Netherlands. There is an additional table that is referenced that gets built dynamically collecting data from https://whois.arin.net on the fly.
Daily Blacklist came about from managing WordPress sites and becoming aware of two items. The first being that you cannot be sure an end user will use a good password. The second item being that should someone get enough tries on a weak password they will eventually get it. So having the skills to create and dynamic firewall that can update on the fly I decided to start building a firewall built on failed login attempts using the source CIDR of the IP address. As after looking at logs I noticed quite often multiple IP Addresses were being used to fish for the same password.
All of the scripts and current software on this site are developed to work on Rocky Linux 9.x. Although all the bash files and scripts on this site should work on any RedHat (being Rocky Linux is RedHat based) flavor operating system there is no guarantee and you may need to adjust the scripts to work on any other Linux based OS. The backend engine is done in Python to create the files for building the ipset tables. There is also a version of this specifically for email built on log SMTP, IMAP and POP3 log files.
This is going to be an ongoing project until my curiosity is satisfied and I feel it is a completed project. I will be adding more and more references as well as tutorials as needed. For the most part the firewalls will be open source free so use at your own peril.