5/18/11

How to Create a Blacklist for Shorewall

Most spam filters and modern firewalls make use of blacklists--lists of Internet protocol addresses from spammers and malicious networks--to better protect users from known threats. For Linux, the Shorewall firewall is no exception, and provides an easier iptables (IP routing) configuration for setting up and implementing personalized blacklists. Making the blacklist, or knowing which IPs to block, can be difficult.

  • Manual Blacklist Creation

    • 1

      Open "/etc/shorewall/blacklist" and scroll down. It should look something like this:

      #ADDRESS/SUBNET PROTOCOL PORT

      #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

    • 2

      Input any addresses that you want blocked. (The Spamhaus and URLBlacklist sites in Resources show some current threats.) Addresses can be host/network/IP addresses (singular or a range), MAC addresses (prefixed with "~") or ipsets (using "+"). Add any protocol and port limitations. (Note that you can only specify ports if the protocol is "tcp" or "udp.")

      For example, say you want to block all incoming tcp traffic on ports 1 to 31, the entry would look like this:

      #ADDRESS/SUBNET PROTOCOL PORT

      - tcp 1:31

      #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

      A MAC address entry to block all traffic from that interface:

      #ADDRESS/SUBNET PROTOCOL PORT

      ~00-9A-8C-FF-03-AA - -

      #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

    • 3

      Write and close the file. (You'll need to restart Shorewall unless you have dynamic blacklisting enabled.)

    Automatic Blacklist Creation

    • 1

      Open a new file, such as "/etc/scripts/blacklistupdate.sh."

    • 2

      Create a bash script from the file like the following from Mudy's Blog:

      #!/bin/sh

      echo "#ADDRESS/SUBNET PROTOCOL PORT" > /tmp/blacklist

      wget -q -O - http://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0\t/ { print $1 "/24";}' >> /tmp/blacklist

      wget -q -O - http://www.spamhaus.org/drop/drop.lasso | awk --posix '/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\// { print $1;}' >> /tmp/blacklist

      echo "#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE" >> /tmp/blacklist

      mv /tmp/blacklist /etc/shorewall/blacklist

      shorewall refresh &>/dev/null

      Note that this script creates a fresh blacklist instead of adding to the existing one.

    • 3

      Write and close the new script.

    • 4

      Add the script to your cron jobs in "/etc/crontab." The cron entry should look like "00 3 * * sun root /etc/scripts/blacklistupdate.sh" if you want to run the script at 3 a.m. every Sunday.

      Since the script contains a Shorewall refresh command, it's unnecessary to add another job to restart Shorewall.

    • At time
    Tag:

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)