block_ip.sh and iptables, vesion 2.1 RC1

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,158
I've made some changes to the block_ip.sh, iptables, and related scripts:
http://files.directadmin.com/services/all/block_ips/2.1/

Version: 2.1 - RC1

it has been tested on a test box, but is only labelled RC1 to allow some time for testing before making it the default in the guide, which will still use 2.0.

The following changes have been made:New allowed_ips and blocked_ips chains for faster adding/removing (no need for full iptables restart)
Will add blocked_ips and /usr/local/directadmin/data/admin/ip_whitelist to allowed_ips to ensure no accidental blocking.
Actively checks sshd_config and './directadmin c' output to ensure those ports are open, to prevent accidental blocking of ssh.
ALLOW_PING=1 setting to enable ICMP pings/traceroute (by default)
Cleaner rate limiting for 25 and 465 via rate_limit function
Better commenting for easier navigation


If you decide to update to this version, use steps 1, 2 and 4, with version 2.1 set:
http://help.directadmin.com/item.php?id=380&in1=2.1

and let us know if you run into any issues.
Also let us know if you don't run into any issues and if it works correctly.

John
 
Centos 7 Compatible?

Does the new version work with Centos 7? (With the new systemctl system instead of using the older init scripts)
 
I've just tested it on CentOS 7, and it can work with a few tweaks to the path of the iptables script.
I've updated the guide:
http://help.directadmin.com/item.php?id=380&in1=2.1

just flip it over to "systemd" from "init.d"... assuming I wrote the JS on the document correctly :)

Also, use 2.1+ because the block_ip.sh and unblock_ip.sh are swapped to use /sbin/iptables, directly to the chain.. rather than in 2.0 where it does a full restart, but would have the wrong path.
2.1 allows us to not need to change anything in the custom/*.sh scripts.

Keep in mind that 2.1 is new, so only try it out of your familiar with iptables.
http://files.directadmin.com/services/all/block_ips/2.1/

If you want 2.0 with CentOS 7, then just be sure to change the block_ip.sh and unblock_ip.sh to do "systemctl reload iptables", because /etc/init.d/iptables won't be there.

John
 
Thank John, I really appreciate you updating the guide and testing it!
I'm going to set it up asap :).
 
Just a quick question- I was looking over the iptables script and noticed:
DA_PORT_2=0
Which seems to be related to SSL

I'm using SSL for my directadmin login - so do I need to change that value for it to work, or will it be handled automatically if I leave it unchanged?
Thanks again!
 
Leave it 0. It only applies to this feature which runs a 2nd fork of DA to allow it to run on 2 ports at the same time.
http://www.directadmin.com/features.php?id=492

If you're just using SSL on 2222, then don't worry about it.
If you'r running SSL=0 on 2222, but ssl_port=2223, then yes, you could set it to 2223... or just leave it alone and the iptables script would sort it out for you anyway.

John
 
Thanks again John,
I've installed it and everything appears to be working perfect!
Should we limit the amount of IPs that are blocked - meaning if you add a lot does it effect performace?
Just curious.
 
The number of IPs can in theory slow it down, but the list would need to be rather huge.
I do recommend you auto-unblock IPs after "X" number of days... which would help keep the list smaller.

But, for example, our servers average 1000-3000 blocked IPs, and I've never seen a slowdown.

If the list gets ridiculously large, in theory one could create their own hash tables in chains.. each for their own range.
So, just create say 10 chains that each only scan IPs that match a certain mask, and add an IP to block into it's specific chain.
That would reduce the worst case performance by a factor of 10.. assuming rough equal distribution of IPs in all chains.
Anyway, that's overkill, and if you need that many blocks, iptables might not be enough.
.. which... after 5 seconds a googling, it sounds like this does exactly that:
http://ipset.netfilter.org/

At that point, it's probably just easier to look for ranges that have large numbers of attacking IPs, and block those entire ranges.

John
 
as my opinion most of the os's use firewalld.
it's very great firewall
it will be good if it will base also on firewalld
 
something that i can't understnamd:
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
# accept 22 anyway, plus anything else its actually set to
if [ "${SSHD_PORT}" != "22" ]; then
$IPTABLES -A INPUT -p tcp --dport ${SSHD_PORT} -j ACCEPT
fi
why if it's not port 22, it's allow the port?
firewall should allow only allowed ports

and second thing
Chain INPUT . should be by def DROP
 
Last edited:
As a safety precaution, yes, we still open port 22, even if sshd is running some other port.
If ssh isn't running on port 22, then they won't be able to connect anyway, so no harm done.
However, say you've change the SSH port in the sshd_config, but forgot to restart sshd?
We'd still want port 22 open.
Or say something, somehow, manages to revert the ssh port to 22.. it would still be open.

As ssh is the last line of access, we really want to make sure we don't accidentally lock ourselves out.

If you don't like this concept, no problem. Just replace those 5 lines to show this instead:
Code:
[COLOR=#333333][I]$IPTABLES -A INPUT -p tcp --dport ${SSHD_PORT} -j ACCEPT[/I][/COLOR]
without any if statements.
Of course, test things like mad, before logging out.
Would also be a good idea to have your IP in the /usr/local/directadmin/data/admin/ip_whitelist.. and test from a 2nd IP, in case something goes wrong, you can still login via the whitelist exception.
2.1 will setup a while-list chain based on the ip_whitelist file. Just confirm your IP is actually whitelisted by checking the active tables:
Code:
iptables -nL
John
 
I tried to use this script on Centos 7, everything working except when I use FileZilla connect to Ftp, It success to login to server but it can not be list the directory. can anyone help?

thanks in advance.
 
Here it is:

# cat /usr/libexec/pureftpd_startscript
cat: /usr/libexec/pureftpd_startscript: No such file or directory
 
This is the default config, come with new install of DirectAdmin 1.47

Code:
# cat /etc/proftpd.conf
ServerName              "ProFTPd"
ServerType              standalone

Port                    21
PassivePorts            35000 35999
UseReverseDNS           off
TimesGMT                off
TimeoutLogin            120
TimeoutIdle             600
TimeoutNoTransfer       900
TimeoutStalled          3600

ScoreboardFile          /var/run/proftpd/proftpd.scoreboard
PidFile                 /var/run/proftpd/proftpd.pid

TransferLog             /var/log/proftpd/xferlog.legacy
LogFormat               default "%h %l %u %t \"%r\" %s %b"
LogFormat               auth    "%v [%P] %h %t \"%r\" %s"
LogFormat               write   "%h %l %u %t \"%r\" %s %b"

#DON'T modify this log format.  It's used by DirectAdmin to determine user usage
LogFormat               userlog "%u %b %m %a"
ExtendedLog             /var/log/proftpd/128.199.64.46.bytes WRITE,READ userlog

AuthUserFile                    /etc/proftpd.passwd
DefaultServer           on
AuthOrder mod_auth_file.c

#AuthPAM off

<IfModule mod_tls.c>
        TLSEngine on
        TLSLog /var/log/proftpd/proftpd.tls.log
        TLSProtocol TLSv1
        TLSVerifyClient off
        TLSRequired off

        #Certificates
        TLSRSACertificateFile /etc/exim.cert
        TLSRSACertificateKeyFile /etc/exim.key
        #TLSCACertificateFile /etc/ftpd/root.cert.pem

        TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
</IfModule>

<Global>
        PassivePorts            35000 35999
        DeferWelcome            on

        RequireValidShell       no

        DefaultRoot             ~
        DirFakeUser on ftp
        DirFakeGroup on ftp

        User                    ftp
        Group                   ftp
        #UserAlias              anonymous ftp

        AllowStoreRestart       on
        AllowRetrieveRestart    on

        ListOptions             -a
        ShowSymlinks            on
        <IfModule mod_facts.c>
                ##Enable this with proftpd 1.3.4b+ to fix FileZilla MLSD
                ##http://www.proftpd.org/docs/modules/mod_facts.html#FactsOption                                                                                     s
                # FactsOptions UseSlink
        </IfModule>

        Umask                   022
        DisplayLogin            welcome.msg
        DisplayChdir            readme
        AllowOverwrite          yes
        IdentLookups            off
        ExtendedLog             /var/log/proftpd/access.log WRITE,READ write
        ExtendedLog             /var/log/proftpd/auth.log AUTH auth

        #
        # Paranoia logging level....
        #
        #ExtendedLog    /var/log/proftpd/paranoid.log ALL default

        <IfModule mod_tls.c>
                TLSEngine on
                TLSLog /var/log/proftpd/proftpd.tls.log
                TLSRSACertificateFile /etc/exim.cert
                TLSRSACertificateKeyFile /etc/exim.key
        </IfModule>
</Global>

Include /etc/proftpd.vhosts.conf
 
Here it is...

Code:
# cat /etc/proftpd.conf
ServerName              "ProFTPd"
ServerType              standalone

Port                    21
PassivePorts            35000 35999
UseReverseDNS           off
TimesGMT                off
TimeoutLogin            120
TimeoutIdle             600
TimeoutNoTransfer       900
TimeoutStalled          3600

ScoreboardFile          /var/run/proftpd/proftpd.scoreboard
PidFile                 /var/run/proftpd/proftpd.pid

TransferLog             /var/log/proftpd/xferlog.legacy
LogFormat               default "%h %l %u %t \"%r\" %s %b"
LogFormat               auth    "%v [%P] %h %t \"%r\" %s"
LogFormat               write   "%h %l %u %t \"%r\" %s %b"

#DON'T modify this log format.  It's used by DirectAdmin to determine user usage
LogFormat               userlog "%u %b %m %a"
ExtendedLog             /var/log/proftpd/xx.xx.xx.xx.bytes WRITE,READ userlog

AuthUserFile                    /etc/proftpd.passwd
DefaultServer           on
AuthOrder mod_auth_file.c

#AuthPAM off

<IfModule mod_tls.c>
        TLSEngine on
        TLSLog /var/log/proftpd/proftpd.tls.log
        TLSProtocol TLSv1
        TLSVerifyClient off
        TLSRequired off

        #Certificates
        TLSRSACertificateFile /etc/exim.cert
        TLSRSACertificateKeyFile /etc/exim.key
        #TLSCACertificateFile /etc/ftpd/root.cert.pem

        TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
</IfModule>

<Global>
        PassivePorts            35000 35999
        DeferWelcome            on

        RequireValidShell       no

        DefaultRoot             ~
        DirFakeUser on ftp
        DirFakeGroup on ftp

        User                    ftp
        Group                   ftp
        #UserAlias              anonymous ftp

        AllowStoreRestart       on
        AllowRetrieveRestart    on

        ListOptions             -a
        ShowSymlinks            on
        <IfModule mod_facts.c>
                ##Enable this with proftpd 1.3.4b+ to fix FileZilla MLSD
                ##http://www.proftpd.org/docs/modules/mod_facts.html#FactsOption                                                                              s
                # FactsOptions UseSlink
        </IfModule>

        Umask                   022
        DisplayLogin            welcome.msg
        DisplayChdir            readme
        AllowOverwrite          yes
        IdentLookups            off
        ExtendedLog             /var/log/proftpd/access.log WRITE,READ write
        ExtendedLog             /var/log/proftpd/auth.log AUTH auth

        #
        # Paranoia logging level....
        #
        #ExtendedLog    /var/log/proftpd/paranoid.log ALL default

        <IfModule mod_tls.c>
                TLSEngine on
                TLSLog /var/log/proftpd/proftpd.tls.log
                TLSRSACertificateFile /etc/exim.cert
                TLSRSACertificateKeyFile /etc/exim.key
        </IfModule>
</Global>

Include /etc/proftpd.vhosts.conf
 
Back
Top