search

DPsystems / Login-Shield

Your first line of defense against Internet bots, hacks and probes. Login-Shield is a small set of bash scripts that implements an iptables/ipset blocklist of known sources of hack activity. Works great as a compliment with/without fail2ban. Statistics have shown it blocks 90+% of most system probes and attacks on login ports.
Other
36 stars 6 forks source link

Some help please configuring Login-Shield #8

Closed aakerbeere closed 2 years ago

aakerbeere commented 2 years ago

Sorry for appearing again here.

I have Login-Shield running on my Nextcloud instance and am facing actually not being able to establish a ssh session from Internet. I found Login-Shield preventing the session to be established (using custom port, masked) :) On LAN it's working as expected: Jan 31 16:48:19 localhost kernel: [266656.307915] ShD-LgnIN=eth0 OUT= MAC=dc:a6:32:b3:34:e8:dc:ef:09:b2:be:23:08:00 SRC=194.230.147.14 DST=192.168.1.100 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=45681 DF PROTO=TCP SPT=59274 DPT=<custom> WINDOW=64240 RES=0x00 SYN URGP=0 I'm always feared to break something (closing out myself) when working on this.

Would it be sufficient to comment out the appropriate line on the blacklist?

Some guidance would be great.

Thanks a lot.

DPsystems commented 2 years ago

Yes, comment out the line. You can make your own copy of the blacklist that will be used instead of the default by commenting/removing any entries you don't want and renaming the file to a .me extension. When running the script it will use that over the default .lst version.

If you know the rule, you can also add a manual command to del that particular rule as well (a whitelist)

such as:

ipset del login-shield (IP/CIDR)

DPsystems commented 2 years ago

This brings up an interesting question: Is there any way to employ an ipset command that can identify which rule is blocking a particular ip/range and disable that rule?

If so, then another option could be to create a script that runs after the installation/setup of login-shield that whitelists a particular array of IP addresses.

aakerbeere commented 2 years ago

Yes, comment out the line....

As i understand i have to run set-iptables.sh after having prepared "..... .me"-file.

DPsystems commented 2 years ago

You don't need to re-run set-iptables.sh That enables the blacklist in the kernel. It doesn't update/change the blacklist. the blacklist-xxxx.sh scripts are the ones you want to run. Here would be the process:

  1. First turn off the blacklist that's affecting the IP you want to remove by finding out which of the .lst files contains it.
  2. Run the corresponding blacklist command to delete those entries (i.e. ."/blacklist-main-nonUS.sh del" - with the "del" parameter, it removes all those IPs from the blacklist.
  3. Then cp ipset-main-nonUS.lst ipset-main-nonUS.me to make a copy of the file
  4. vi ipset-main-nonUS.me and comment out the IP range you want to disable
  5. run ./blacklist-main-nonUS.sh without any parms to reinstate the list - this time since it sees a .me version it will default to that.

You don't want to create the .me file until you delete those blacklist entries otherwise the del command will use the newer version which has the ip commented out.

Hope that helps.

aakerbeere commented 2 years ago

Great

Worked like a charm. I appreciate. Ssh session through Internet is now coming up as expected.

Thanks a lot.

You can close the thread.

cheers

aakerbeere commented 2 years ago

I'm however curious how it comes 194.0.0.0/8 to be classified as source of attacks (ipset-main-nonUS.lst). It's listed as french but i would say it's swiss. cheers