Quickly Block Traffic with ipset and iptables
To piggy-back off of the third preventive control in increasing security against bad bots and spam, you can quickly block traffic with an iptables entry that utilizes ipset.****
If you're not already using ipset, first see if you have ipset installed.
ipset list
If you have it installed then you wont see the "can't find that package" error.
If you need to install it, then run sudo apt-get install ipset.
With ipset now installed, let's create a new list that we'll fill up with spammy/bad IPs.
ipset create blacklist hash:ip
Nothing special will happen, but now we will have a new blacklist ipset list
to use. Next, we'll tell iptables to read from our blacklist whenever traffic
comes a-knockin'.
iptables -I INPUT -m set --match-set blacklist src -p TCP --destination-port 80 -j DROP
What we're doing here is creating a new iptables entry that says "if you get any web traffic (port 80) from IP addresses in my blacklist, then DROP them. You might wonder why I'm using DROP here instead of REJECT. Think of spammy traffic like an unsolicited sales call. Would it be better to answer the call and say "I'm not interested" or would would it be better to just disconnect the phone line? Okay, okay, obviously it's impractical to just unplug our phones (if you still use a landline, that is) but you get the idea. DROPing the traffic doesn't really tell the requester whether or not something exists here, but if we have systematically REJECTed all of their attempts into the server, that might encourage them to strengthen their attacks against us.
Next comes the fun part: you need to get a list of bad IPs that you want to
block. You can follow my tutorial here for a non-technical way of
collecting the IP addresses of all your visitors in WordPress, or
this tutorial here for a way to grep through log files, or come up with
your own way to parse your log files and get a list of IP addresses that you
definitely, 100% want to block. With your list, you'll want to create a new bash
file in some working directory on your server where you do all your madness.
nano whatsinthebagsharkorsomething.sh
Now with that open, push your window to the side and open up Sublime or Notepad
or whatever text editor you use and add ipset add blacklist to the beginning
of each IP address in the list of IPs you want to block. For example, the result
of this tutorial on how to parse log files for IPs is a list of IP
addresses, one per line. For example:
12.345.67.890 23.456.78.901 34.567.89.012 … (and so on)
Somehow add the ipset addition command to the beginning of each IP address in
your file, then copy and paste that file into your console with nano opened to
our new file. Basically, you want whatsinthebagsharkorsomething.sh to look
like this before you Ctrl+X then Y:
ipset add blacklist 12.345.67.890 ipset add blacklist 23.456.78.901 ipset add blacklist 34.567.89.012 … (and so on)
From here, we'll run chmod +x whatsinthebagsharkorsomething.sh and then run
the file with ./whatsinthebagsharorsomething.sh. Your shell will hang for just
a bit, then you'll be presented with your prompt again. To verify that the
addresses are now being blocked, simply list the ipset list with the following
command:
ipset list
You should see a list of all the IP addresses you just added.
**Update 1: **Some people have emailed me expressing concern for speed. As it turns out, combining ipset with iptables in the above fashion is almost ***11-times faster ***than using iptables alone. See for yourself.
Update 2: If you want to get a little academic on the subject, consider *Using Throttling and Traffic Shaping to Combat Botnet Spam *(link).