search

DPsystems / Login-Shield

Your first line of defense against Internet bots, hacks and probes. Login-Shield is a small set of bash scripts that implements an iptables/ipset blocklist of known sources of hack activity. Works great as a compliment with/without fail2ban. Statistics have shown it blocks 90+% of most system probes and attacks on login ports.
Other
36 stars 6 forks source link

compatibility with nftables? #3

Open phonon112358 opened 4 years ago

phonon112358 commented 4 years ago

I would love to test login-shield on my server... it's a really great idea!

I run Debian 10 with fail2ban. However, I use nftables instead of iptables... In principle, it would be no problem to convert each rule of the login-shield to nftables' syntax. however, I wonder what will happen if login-shield is updated...? Would I have to convert the new rules again? perhaps, it would be great if login-shield would work with both, iptables and nftables... what do you think?

DPsystems commented 4 years ago

This sounds like a great idea! It shouldn't be too difficult to make this work with nftables as well as iptables. I'm not familiar with that so I'll need your input to modify the existing set-iptables.sh[-config] script for nftables.

I think there are two things we need to do for this.

First, give me a version of the file: set-iptables.sh-config (it's initially set as -config so the user will rename and it won't be overwritten if it has any user-specific mods) - rename yours as: set-nftables.sh-config and once we verify it works, I'll include it in the distribution.

Second, we need to see how nftables logs blocked IP traffic. If the log data is formatted differently, we might need to modify the ./count_logins.sh and ./attack_stats.sh scripts.

Here is the log format iptables uses for the LOG command

Jan 2 18:34:10 sd2 kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx SRC=185.211.245.170 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=33468 DF PROTO=TCP SPT=17292 DPT=587 WINDOW=7300 RES=0x00 SYN URGP=0

If it logs blocked packets the same way, no modifications would be needed, otherwise I probably need a sample log file with examples to update my statistical script (just to make everything 100% compatible).

Minimally, probably all you need to do is modify that one shell script to make it work on your system assuming all the ipset commands are the same.

any other questions, let me know.

DPsystems commented 4 years ago

btw, the way login-shield works with rules is, those are all ipset-based so there's no changing of the iptables/nftables commands - those are typically run only initially (or after reboot). To update the tables just re-run the blacklist-xxxx.sh scripts and any dupe rules will be ignored.

Right now it could be improved in this respect - I plan to re-write everything in Python later but first I want to make sure the blacklists are really solid. So far they're working very well on six of my servers.

hobbes1069 commented 3 years ago

I'm also interested in nftables support as all current releases of Fedora and CentOS 8/Stream use nftables.

DPsystems commented 3 years ago

I don't have any experience with nftables at this point. If anybody wants to re-write the iptables command to use nftables, I'll incorporate it into another update. I assume the syntax is relatively similar?

SomePersonSomeWhereInTheWorld commented 3 years ago

I see a tutorial as well as the official guide which includes how to use the new iptables-translate command.

SomePersonSomeWhereInTheWorld commented 3 years ago

Did you see the feedback on the Fail2ban mailing list?

DPsystems commented 3 years ago

Sorry I haven't seen that. But one issue is I don't have a CentOS machine with nftables on it right now to do the test/translate.

However, anybody who does, can copy the IPTABLES commands from the set-iptables.sh[-config] script

When the script is run, it echoes the iptables commands that are used. These can be run through the translator. If I can see an example of how the command is translated, I can create a separate set-nftables.sh-config file for those running nftables.

DPsystems commented 3 years ago

For example, here are the two commands that a person might run.. how would they be translated using nftables?

iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j DROP
iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j LOG --log-prefix ShD-Lgn
DPsystems commented 3 years ago

Note that I don't have access to a machine that uses an alternate to iptables. I'm sure it's just a minor change but at this point, I'm hoping someone else who knows the alternate command syntax can provide the commands using nftables to accomplish the same thing, then I will add this to the project.

JEAholding commented 2 years ago

Thank you for the shell codes 🙏🙏 very nice

I have set up some NFTtables in the past... If I am correct NFTables tends to be manage via a config file BUT there are shortcuts to add to it... I usually setup the config file and be done with it....

https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes

nft list table <family> nft (add | delete | flush) table [<family>] <name> nft insert rule [<family>] <table> <chain> [position <position>] <matches> <statements>

Above example iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j DROP

nft add rule filter input tcp dport vmap { 20,21,22,110,143,587,989,990,993,994,995,4190 : drop } or nft add rule filter input tcp dport { 20,21,22,110,143,587,989,990,993,994,995,4190}

Above if is you already have a chain named filter your config (with policy to drop) if not you are going to have to USE the bigger sample code to create the chain and/or table...

==============================

nft (add | create) chain [<family>] <table> <name> [ { type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] } ]

nft add chain filter table inet-filter { type filter hook input priority 0; policy drop; } and AFTER nft add rule inet-filter input tcp dport { 20,21,22,110,143,587,989,990,993,994,995,4190}

================================ BELOW is a sample config for reference, I use PF but have some cook recipes for Iptables, Ipset and Nftables config ` /etc/nftables.conf  
  #!/usr/sbin/nft -f
   
  flush ruleset
   
  # inet applies to both IPv4 and IPv6.
  table inet filter {
  chain input {
  type filter hook input priority 0;
   
  # accept any localhost traffic
  iif lo accept
   
  # no ping floods:
  ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
  ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
   
  # accept traffic originated from us
  ct state established,related accept
   
  # accept ICMP & IGMP
  ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
  ip protocol icmp icmp type { echo-request, destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
  ip protocol igmp accept
   
  # ssh
  # tcp dport 22 accept
  tcp dport 4762 accept
   
  # http, https
  tcp dport 80 accept
  tcp dport 443 accept
   
  # smtp, submission, smtps
  tcp dport 25 accept
  tcp dport 587 accept
  tcp dport 465 accept
   
  # pop3, pop3s
  tcp dport 110 accept
  tcp dport 995 accept
   
  # imap, imaps
  tcp dport 143 accept
  tcp dport 993 accept
   
  # count and drop any other traffic
  counter drop
  }
   
  chain output {
  type filter hook output priority 0;
  policy accept;
  }
   
  chain forward {
  type filter hook forward priority 0;
  policy drop;
  }
  }

`