Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to use badIPs.com to protect the server and report malicious IP through Fail2ban. The article is very detailed and has a certain reference value. Interested friends must read it!

What is badIPs?

BadIps is a list of bad IP reported by fail2ban.

This guide consists of two parts, the * section describes the use of lists, and the second part describes data submission.

Use badIPs list

Define security levels and categories

You can get a list of IP addresses by using REST API.

When you use the GET request to get the URL: https://www.badips.com/get/categories, you can see all the different categories available in the service.

The second step is to determine the level that suits you. It should be helpful to refer to badips (I personally use scope = 3):

If you want to compile a statistics module or use the data for experimental purposes, you should start with level 0.

If you want to protect your server or website with a firewall, use level 2. It may also be combined with your results, although they may not exceed 0 or 1.

If you want to protect an online store, or a high-traffic, profitable e-commerce server, I recommend you use a value of 3 or 4. Of course, it has to be combined with your results.

If you are paranoid, use 5.

Now that you have two variables, you can get your link by linking them together.

Http://www.badips.com/get/list/{{SERVICE}}/{{LEVEL}}

Note: like me, you can get all the services. In this case, change the name of the service to any.

The final URL is:

Https://www.badips.com/get/list/any/3

Create script

Once all is done, we will create a simple script.

1. Put your list in a temporary file.

2. Create a chain in iptables (you only need to create it once). (LCTT translation note: iptables may include multiple tables (tables), tables may include multiple chains (chains), chains may include multiple rules (rules))

3. Wipe out all the data (old entries) linked to the chain.

Link each IP to this new chain.

5. After completion, block all INPUT / OUTPUT / FORWARD requests linked to the chain.

Delete our temporary files.

To do this, we create a script:

Cd / home// vi myBlacklist.sh

Enter the following into the file.

#! / bin/sh # based on this version http://www.timokorthals.de/?p=334 # adapted by St é phane T. _ ipt=/sbin/iptables # iptables path (it should be this) _ input=badips.db # the name of the database (to be downloaded with this name) _ pub_if=eth0 # devices connected to the Internet (perform $ifconfig acquisition) _ droplist=droplist # # The name of the chain in # iptables (if you already have a chain with such a name You can change to another) _ level=3 # # Blog (LCTT note: Bad log) level: not so bad (0), confirm bad (3), Pretty bad (5) (get details from www.badips.com) _ service=any # logging service (get details from www.badips.com) # get bad IPs wget-qO- http://www.badips.com/get/list/${_service}/$_level > $_ input | | {echo "$0: Unable to download ip list." Exit 1 } # set up our blacklist # first clear the chain $_ ipt-- flush $_ droplist # create a new chain # # * uncomment the following line at runtime # $_ ipt-N $_ droplist # filter out comments and blank lines # Save each ip to $ip for ip in `cat $_ input` do # add to $ _ droplist $_ ipt-A $_ droplist-I ${_ pub_if}-s $ip-j LOG-- log-prefix "Drop Bad IP List" $_ ipt-A $$_ droplist-I ${_ pub_if}-s $ip-j DROP done # # * * Insert or append to our blacklist $_ ipt-I INPUT-j $_ droplist $_ ipt-I OUTPUT-j $_ droplist $_ ipt-I FORWARD-j $_ droplist # delete your temporary file rm $_ input exit 0

After completing this, you should create a scheduled task to update our blacklist on a regular basis.

To do this, I use crontab to run the script at 11:30 every night (before my deferred backup).

Crontab-e23 30 * / home//myBlacklist.sh # Block BAD IPS

Don't forget to change the permissions of the script:

Chmod + x myBlacklist.sh

Now that it's finally done, your server / computer should be more secure.

You can also run the script manually as follows:

Cd / home//. / myBlacklist.sh

It may take some time, so don't interrupt the script during that time. In fact, the time consuming depends on the * line of the script.

Use Fail2ban to report the IP address to badIPs

In the second part of this guide, I will show you how to report bad IP addresses to badips.com websites by using Fail2ban.

Fail2ban > = 0.8.12

Complete the report through Fail2ban. Depending on your version of Fail2ban, you will use the * * or Section 2 of this chapter.

If your fail2ban version is 0.8.12 or later.

Fail2ban-server-version

In each category you want to report, add an action.

[ssh] enabled = true action = iptables-multiport badips [category=ssh] port = ssh filter = sshd logpath = / var/log/auth.log maxretry= 6

As you can see, the category is SSH, look for the correct category from https://www.badips.com/get/categories.

Fail2ban < 0.8.12

If the version is before 0.8.12, you need to create a new action. You can download it from https://www.badips.com/asset/fail2ban/badips.conf.

Wget https://www.badips.com/asset/fail2ban/badips.conf-O / etc/fail2ban/action.d/badips.conf

In the badips.conf above, you can activate each category as before, or you can enable it globally:

Cd / etc/fail2ban/ vi jail.conf [DEFAULT]... Banaction = iptables-multiport badips

Restart fail2ban now-it should start reporting from now on.

Service fail2ban restart

Your IP report statistics

* one step-not that useful. You can create a key. But if you want to see your data, this step is very helpful.

Copy / paste the following command, and a JSON response will appear in your console.

Wget https://www.badips.com/get/key-qO-{"err": "," suc ":" new key 5f72253b673eb49fc64dd34439531b5cca05327f has been set. "," key ":" 5f72253b673eb49fc64dd34439531b5cca05327f "}

Go to the badips website, enter your "key" and click "statistics".

The above is all the contents of the article "how to use badIPs.com to protect the server and report malicious IP through Fail2ban". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.