firehol

  1. ai firehol firehol-tools ulogd2 conntrack
  2. sc-status firehol
  3. sc-start firehol
  4. sc-restart firehol

vim /etc/default/firehol

START_FIREHOL=YES

vim /etc/firehol/firehol-defaults.conf +461

  • t /var/log/ulog/syslogemu.log
# IPTABLES PACKETS LOGGING
# LOG mode for iptables
# Default: LOG
# Possible Values: LOG, ULOG, NFLOG
# LOG = syslog
# We recommend to install ulogd and use NFLOG.
FIREHOL_LOG_MODE="NFLOG"

Tags
firewall

fail2ban

  1. ai fail2ban
  2. fail2ban-client status
  3. fail2ban-client status postfix
  4. fail2ban-client set postfix unbanip IP
  5. fail2ban-regex /var/log/mail.warn /etc/fail2ban/filter.d/postfix.conf
  6. fail2ban-regex systemd-journal "postfix[mode=aggressive]"
  7. vim /etc/fail2ban/jail.local
  8. fail2ban-client reload postfix
  9. service fail2ban restart
  10. fail2ban-customs
  11. f2b_status.sh

show my public ip

curl -4

Tags
firewall

/etc/fail2ban/jail.d/mail.conf

vim /etc/fail2ban/jail.d/mail.conf

[postfix]
enabled = true
port    = smtp,465,submission
filter    = postfix[mode=aggressive]
logpath = /var/log/mail.log
maxretry    = 4

[dovecot]
enabled		= true
filter		= dovecot[mode=aggressive]

# CUSTOM
[spamassassin]
enabled     = true
filter      = spamassassin
logpath     = /var/log/mail.info
maxretry    = 1
Tags
firewall

jail.local

vim /etc/fail2ban/jail.local

[Definition]
allowipv6 = auto

[DEFAULT]
ignoreip    = 10.0.3.0/24
bantime     = 1d
findtime    = 2d
maxretry    = 2

bantime.increment = true
bantime.factor = 2

[pam-generic]
enabled   = true
backend   = systemd
journalmatch = _SYSTEMD_UNIT=sshd.service
              + _SYSTEMD_UNIT=login.service
              + _SYSTEMD_UNIT=systemd-user-sessions.service

[recidive]
ignoreip	= YOUR-LOCAL-CLIENT-IP-RANGE.0.0/16 
enabled		= true
f
Tags
firewall

/etc/fail2ban/jail.d/nginx.conf

vim /etc/fail2ban/jail.d/nginx.conf

[nginx-bad-request]
enabled     = true
filter      = nginx-bad-request

[nginx-botsearch]
enabled     = true
filter      = nginx-botsearch

[nginx-404]
enabled     = true
port        = http,https
filter      = nginx-404
logpath     = /var/log/nginx/access.log
maxretry    = 300

[nginx-http-auth]
enabled     = true
port        = http,https
filter      = nginx-http-auth
logpath     = /var/log/nginx/error.log

[nginx-botsearch]
enabled     = true
port        = http,https
filter      = nginx-botse
Tags
firewall

fail2ban customs

vim /etc/fail2ban/filter.d/nginx-probe-wp.conf

[Definition]
# Aggressive WP-probe blocker for non-WP hosts (NO 'feed' matches).
# Covers:
# - double slashes (//)
# - 0–3 arbitrary prefixes: blog/, web/, 2020/, wordpress/, wp/, shop/, ...
# - wp-admin[/setup-config.php|/install.php], wp-login.php, xmlrpc.php[?rsd]
# - trees: wp-includes/**, wp-content/**
# - leak/info files: wp-config.php, readme.html, license.txt, wlwmanifest.xml, ID3/license.txt

failregex = ^<HOST> - - \[.*?\] "\w+\s+/{1,2}(?:[A-Za-z0-9._-]+/){0,3}(?:wp-admin(?:/(?:setup-co
Tags
firewall

FireHOL & Conntrack

FireHOL is a powerful and intuitive firewall manager for Linux systems. It is widely used on servers, routers, gateways, virtualization hosts, and container environments where clear, stateful, and auditable firewall rules are essential. FireHOL automatically generates iptables/nftables rules and relies heavily on the Linux conntrack subsystem to enable stateful packet inspection and context‑aware filtering.

Tags
firewall

DNSBL / dnsbl-ipset

Diese Seite dokumentiert die eigentliche dnsbl-ipset-Engine (FireHOL dnsbl-ipset.sh), die in Echtzeit IP-Adressen gegen verschiedene DNS-Blocklisten prüft und in ein ipset schreibt.

== Ziel

  • Verdächtige Verbindungen aus dem Firewall-Log (ulogd) in Echtzeit gegen DNSBLs prüfen
  • Treffer automatisiert in ein ipset schreiben
  • iptables-Regeln verwenden dieses ipset, um IPs temporär zu blocken

== Komponenten

Tags
firewall
dns

dnsbl-ipset

  1. https://github.com/firehol/firehol/wiki/dnsbl-ipset.sh
  2. /usr/share/doc/firehol-tools/examples/contrib/dnsbl-ipset.sh

/etc/firehol/firehol.conf

# dnsbl
ipset4 create dnsbl hash:ip timeout 1209600 maxelem 500000 prevent_reset_on_restart comment

action4 AUDIT_ACCEPT \
    action ACCEPT state NEW log "AUDIT" \
    next action ACCEPT

blacklist4 full inface "${wan}" ipset:dnsbl \
	except src ipset:whitelist

leider waren auch viele Letsencrypt

Tags
security
dns
firewall

dnsbl.sh

DNSBL / dnsbl-ipset Auswertung 

Diese Seite beschreibt das Auswertescript für dnsbl-ipset,     
das auf dem Server wöchentlich Top-Statistiken aus `matches.log` erzeugt und per Mail verschickt.

Zweck Das Script verarbeitet die von `dnsbl-ipset.sh`     
erzeugte Datei `/var/log/dnsbl-ipset/matches.log`     
und erstellt daraus wöchentliche Reports:

Tags
firewall
dns

f2b_status.sh 

#!/bin/bash
# =============================================================================
# Script Name: f2b_status.sh
# Version: 1.6
# Description: This script retrieves and displays the status of all Fail2Ban
#              jails, including error handling and logging.
# =============================================================================

# Log file path
LOG_FILE="/var/log/fail2ban-status.log"

# Function to log messages with timestamp
log_message() {
    echo "$(date +"%Y-%m-%d %H:%M:%S") - $1" | tee -a "$LOG_FILE"
}

# Function to retrieve t
Tags
firewall
script

/etc/cron.weekly/dnsbl-update 

#!/bin/sh
# Version: 1.3
# Description: Update DNS blocklist and ensure script runs in the background

LOCKFILE="/var/run/dnsbl-ipset.lock"
LOGFILE="/var/log/dnsbl-ipset.log"

# Ensure the script runs in the background
if [ -z "$BACKGROUND" ]; then
  BACKGROUND=true nohup "$0" "$@" >> $LOGFILE 2>&1 &
  exit 0
fi

{
  echo "[$(date)] Starting dnsbl-update script"

  if [ !
Tags
firewall
script

ipset_blacklist_reload.sh 

#!/bin/bash
# =============================================================================
# Script Name: ipset_blacklist_reload.sh
# Version: 1.1
# Author: Andreas Fleckl
# Description: This script reloads an ipset with CIDR /24 network ranges from a 
#              specified file, including error handling and logging.
# =============================================================================

# Define your ipset name
IPSET_NAME="blacklist"

# Path to your list of IP network ranges, one per line
IP_LIST_PATH="/etc/firehol/blacklist.netset"

# Log fi
Tags
firewall
script

f2b_check_ips.sh 

#!/bin/zsh
# =============================================================================
# Script Name: f2b_check_ips.sh
# Version: 1.1
# Author: Andreas Fleckl
# Description: This script extracts and prints all banned IPs from Fail2Ban
#              jails, with an option to filter IPs based on a search argument.
#              Includes error handling and logging.
# =============================================================================

# Function to extract the list of jails
extract_jail_list() {
    # Run fail2ban-client status and extract the
Tags
firewall
script

firehol blacklist

#
# ipv4 hash:ip ipset
#
# Maintainer        : bubu IT
# Maintainer URL    : https://bubuit.net
# List source URL    : https://blacklist.bubuit.net
# Category        : spam imap smtp fail2ban evil

Tags
firewall

ipset

  1. ai firehol-tools
  2. ll -t /etc/firehol/ipsets
  3. update-ipsets enable firehol_level1 firehol_level2 firehol_level3 firehol_level4 fullbogons spamhaus_drop sslbl blocklist_de greensnow ciarmy sslbl_aggressive 
  4. update-ipsets
  5. ipset -L -n
  6. ipset -L firehol_level1
  7. t /var/log/update-ipsets.log
  8. update-ipsets --help
  9. man ipset

/etc/cron.daily/update-ipsets

#!/bin/sh
update-ipsets -s > /var/log/update-ipsets.log 2>&1
 

Tags
firewall
security

firehol whitelist

/etc/firehol/whitelist.txt


# myips
YOUR PUBIPS

# hetzner.de
46.4.20.50

# packageist
185.56.232.198

# Mail Server
54.245.105.146
85.214.65.224
151.101.114.217 
176.9.37.124
176.9.78.130
188.40.28.171
195.145.228.186
109.73.15.86

# Top Mailserver
62.146.106.0/24
74.125.200.0/24
80.67.18.0/24
81.169.145.0/24
142.251.31.0/24
194.25.134.0/24
209.85.217.0/24

# google.com
209.85.128.0/24
209.85.214.0/24
209.85.217.0/24
209.85.219.0/24
209.85.220.0/24

Tags
firewall

fail2ban statistics

  1. ai mailutils
  2. https://www.abuseipdb.com/ 
  3. https://www.liveipmap.com/ 

/etc/cron.monthly/f2b-stat

#!/bin/sh

Tags
analytics
security
firewall

DDoS protection: SYNPROXY

/etc/firehol/firehol.conf

# SYNPROXY
TRAP_PORTS="25 80"
SUSPECTS_TIMEOUT=3600
TRAP_TIMEOUT=86400
VALID_CONNECTION_COUNT=2
TRAP_ACTION="DROP"

ipv4 synproxy input inface "${wan}" dst "${PUBLIC_IPS}" dport "${TRAP_PORTS}" accept

Tags
firewall
security
SYNPROXY