Tags
security
dns
firewall
  1. https://github.com/firehol/firehol/wiki/dnsbl-ipset.sh
  2. /usr/share/doc/firehol-tools/examples/contrib/dnsbl-ipset.sh

/etc/firehol/firehol.conf

ipset4 create dnsbl hash:ip timeout $[86400 * 14] maxelem 500000 prevent_reset_on_restart comment 
action4 AUDIT_ACCEPT \ 
action ACCEPT state NEW log "AUDIT" \ 
next action ACCEPT 
blacklist4 full inface "${wan}" ipset:dnsbl \ 
except src ipset:whitelist

leider waren auch viele Letsencrypt server dabei, die ich in der whiteliste wieder öffnen musste

Lets encrypt Server

13.59.153.150 
172.65.32.248 
18.192.99.12 
18.196.96.172

/etc/fstab

tmpfs /var/log/ulog/ tmpfs defaults,noatime,nosuid,mode=0755, 0 0
  1. reload
  2. mount -a

hier noch ein paar history dumps

systemctl start ulogd2.service 
systemctl stop ulogd2.service 
rm /var/log/ulog/syslogemu.log* 
nohup /etc/firehol/dnsbl-ipset.sh & 
disown 
tail -f nohup.out 
ll -h /var/log/ulog/ 
ll -h /var/log/dnsbl-ipset/ 
mount | grep tmpfs

logrotate

um syslogemu.log stündlich zu rotieren 
muss der Systemd logrotate service reconfiguriert werden 
das läuft leider nicht mehr über cron jobs

systemctl edit logrotate.timer

von weekly auf hourly stellen

[Timer] 
OnCalendar= 
OnCalendar=hourly 
AccuracySec=1m

ipset list dnsbl

Name: dnsbl 
Type: hash:ip 
Revision: 4 
Header: family inet hashsize 1024 maxelem 500000 timeout 1209600 comment 
Size in memory: 99522 
References: 4 
Number of entries: 256 
Members: 
196.196.52.6 timeout 412586 comment "score 100 from 2 lists: 100/127.0.0.4/zen.spamhaus.org 0/75.2.37.224/rbl.megarbl.net" 
20.0.220.101 timeout 132509 comment "score 100 from 2 lists: 100/127.0.0.4/zen.spamhaus.org 0/75.2.37.224/rbl.megarbl.net" 
85.203.34.157 timeout 411643 comment "score 215 from 3 lists: 200/127.0.0.2/z.mailspike.net 15/127.0.0.2/all.s5h.net 0/75.2.37.224/rbl.megarbl.net" 
149.56.20.160 timeout 559662 comment "score 100 from 2 lists: 0/75.2.37.224/rbl.megarbl.net 100/127.0.0.4/zen.spamhaus.org" 
54.191.62.50 timeout 298960 comment "score 115 from 3 lists: 0/75.2.37.224/rbl.megarbl.net 100/127.0.0.4/zen.spamhaus.org 15/127.0.0.2/all.s5h.net"

/var/log/dnsbl-ipset/blacklist.log

62.55.85.218 # score 100 from 2 lists: 0/75.2.37.224/rbl.megarbl.net 100/127.0.0.4/zen.spamhaus.org 
20.124.121.108 # score 100 from 2 lists: 0/75.2.37.224/rbl.megarbl.net 100/127.0.0.4/zen.spamhaus.org 
162.55.85.225 # score 100 from 2 lists: 0/75.2.37.224/rbl.megarbl.net 100/127.0.0.4/zen.spamhaus.org 
185.100.87.211 # score 100 from 2 lists: 100/127.0.0.3/zen.spamhaus.org 0/75.2.37.224/rbl.megarbl.net 
149.56.20.160 # score 100 from 2 lists: 0/75.2.37.224/rbl.megarbl.net 100/127.0.0.4/zen.spamhaus.org

/etc/logrotate.d/ulogd2

/var/log/ulog/*.log /var/log/ulog/*.pcap { 
hourly 
rotate 0 
   missingok 
   sharedscripts 
   create 640 ulog adm 
   postrotate 
if [ -d /run/systemd/system ] && command systemctl >/dev/null 2>&1 && systemctl is-active --quiet ulogd2.service; then 
    systemctl kill --kill-who main --signal=SIGHUP ulogd2.service 
else 
    invoke-rc.d ulogd2 reload > /dev/null 
fi 
   endscript 
}

/etc/cron.weekly/dnsbl-update

[ ! -f /var/run/dnsbl-ipset.lock ] && /etc/firehol/dnsbl-ipset.sh >/var/log/dnsbl-ipset.log 2>&1

/var/log/dnsbl-ipset.log

MINUS 89.27.50.248 (2) 
MINUS 89.27.50.248 (1) 
SCORE: rbl.megarbl.net = 0 
MATCH (0, total 0): 89.27.50.248 on 75.2.37.224/rbl.megarbl.net 
MINUS 89.27.50.248 (0) 
-  CLEAN      89.27.50.248     # score 0 from 1 list: 0/75.2.37.224/rbl.megarbl.net 
DONE 89.27.50.248

vim /etc/logrotate.d/dnsbl-ipset

/var/log/dnsbl-ipset.log {
   monthly
   rotate 1
   missingok
   notifempty
   create 0640 root root
}
  1. dnsbl-statistics
  2. fail2ban-customs 
    /etc/fail2ban/action.d/iptables-common.conf /iptables.conf 
    blocktype = DROP