search

mrash / psad

psad: Intrusion Detection and Log Analysis with iptables
http://www.cipherdyne.org/psad/
GNU General Public License v2.0
390 stars 76 forks source link

Add ipset support #9

Open mrash opened 11 years ago

mrash commented 11 years ago

All auto-blocking operations in psad should support ipset on Linux systems.

doctaweeks commented 7 years ago

I've found on embedded platforms that a long chain in iptables can become a severe bottleneck (ksoftirqd will peg CPU). Using a hash ipset instead eliminates this bottleneck.

nyov commented 6 years ago

I suppose this does not exist yet?

MPC-GH commented 3 years ago

You can achieve this with a bit of a rough hack, by using the EXTERNAL_BLOCK_SCRIPT in psad.conf:

EXTERNAL_BLOCK_SCRIPT /path/to/script/block_ip SRCIP;

And the block_ip script:

#!/bin/bash
#
# Called by PSAD when blocking an address
#
# Use to put a filter in place into an ipset

IP=$1

if [[ $IP =~ .*:.* ]]
then
    /usr/sbin/ipset -A PSAD_AUTO_BL6 $IP
else
    /usr/sbin/ipset -A PSAD_AUTO_BL4 $IP
fi

And by creating the ipset rule in the usual way:

# ipset create PSAD_AUTO_BL6 hash:ip
# ipset create PSAD_AUTO_BL6 hash:ip

And inserting them into iptables/ip6tables:

iptables -A INPUT -m set --set PSAD_AUTO_BL4 src -j DROP
ip6tables -A INPUT -m set --set PSAD_AUTO_BL6 src -j DROP

Final note - PSAD doesn't call the ipt_block script for IP6 addresses yet, but if and when, the steps above should give some basic support.

Note that I also disabled PSAD inserting its normal chains with the following in psad.conf to avoid double-filtering by the ipset and the normal individual block rules.

IPTABLES_PREREQ_CHECK N;

Cheers,

Mark

gnif commented 1 year ago

It should be noted that an issue with this solution is that it wont remove IPs that should be auto unblocked after the timeout expires.

MPC-GH commented 1 year ago

Hi Gnif,

Yes - that's correct. It was just a quick hack to migrate block rules into ipsets. There didn't appear to be an existing script hook for unblocking so I didn't do anything relating to that.

It was enough for my use case back in 2021 which was to mitigate CPU load on an ARM-based SBC which was starting to struggle with individual rules. I'd certainly recommend anyone using my script considers using a periodic clear-down of the accumulated ipset rules and some whitelisting of any critical address ranges.

Cheers,

Mark