IPtables and Blocklist.de

Progressing from my last post on making my Suricata logs ... less, by using eDROP and DSHIELD with IPTABLES. This as an approach ticket the boxes - the catch all of the Spamhaus eDROP and the real time nature of DSHEILD - great stuff.

Now, due to this and that - I get to read a bunch of automated responses from the lovely people at BLOCKLIST.DE . Mainly this involves me using a variety of tools, a crystal ball, and a dash of experience to track down who, or what out of X hundred sites, has slipped through the net(s), and is doing bad things to someone, elsewhere, resulting in me getting an email.

So I wondered to myself - how does this site / tool / resource work - and how can I get it to work for me?

Well - as it happens it is pretty straight forwards....

Create myself a table. If I am automating this - I don’t want to come back to find 32,000 lines in the chain - so lets make proper sure that its empty.

/sbin/iptables -X BLOCKLISTDE
/sbin/iptables -N BLOCKLISTDE
/sbin/iptables --flush BLOCKLISTDE

Next up - these beautiful people want to share the love - which is fabulous - so here they provide a page where I can go and grab myself a given period IP's that have been flagged as naught. Here we have taken grabbed a file - and asked for the last 2 hours, and written it to a file in temp.

/usr/bin/wget http://api.blocklist.de/getlast.php?time=120 -O /tmp/blocklist.de

The file is neatly in line by line IP address format - which is kinda neat. Thank you again. So lets just run through that - populating the table, and then returning at the bottom.

for foo in $(cat /tmp/blocklist.de)
   /sbin/iptables -t filter -A BLOCKLISTDE --src $foo -j DROP
/sbin/iptables -A BLOCKLISTDE -j RETURN

Aaaaaaand relax. We are done here. Cron to run periodically (not so much so that I get a bad name for myself) - and we have a winner. "YOUR name is on the list you are not coming in".

I feel the need to state this is regretfully this is little or no defence against the kinds of people that find me reading those abuse posts. It's pretty hostile out there - keep patched as best you can, and be mindful as to what you expose, to whom, from where.

As an aside - Blocklist.de uses output from collective intelligence. In this case fail2ban installations reporting back the IP addresses that they are blocking.

I have cause to use fail2ban - and again - while not a panacea - is another layer in making your day a nicer place to be.

Leave a Reply

Your email address will not be published. Required fields are marked *