FirewallD or IPtables?

[nango]

Hi

I tried Centos7 when it was new and I was not interested with new commands so decide to continue on CentOS6. till now need to run new DA on CentOS7 and I find FirewallD is new default firewall on CentOS7 as iptables, should I keep that?

My guess is using iptables on DA is better because of many default scripts and configs are made for iptables like block_ip.sh
What is your suggestion?

 

[Richard G]

FirewallD is just another service for iptables.

My suggestion, just disable firewalld and install CSF/LFD and use the scripts by Poralix for brute force protection.
They work with iptables and CSF.

 

[eva2000]

Indeed firewalld and csf firewall wall both essentially wrappers that talk with underlying iptables.

I prefer csf firewall and wrote a section in my DirectAdmin install guide on it - Switching DirectAdmin From Firewalld To CSF Firewall including how to enable IPSET for better performance. The guide also covers firewalld install step initially https://servermanager.guide/162/how-to-install-directadmin-control-panel-on-centos-7/#step3.

Use whichever one you're more comfortable managing and configuring for

 

[Richard G]

??? From your site

mkdir -p /root/tools/poralix
cd /root/tools/poralix
wget -4 -O csf-bfm-install.sh https://raw.githubusercontent.com/poralix/directadmin-bfm-csf/master/install.sh

Seems to me you're using the same installation and same brute-force script from Poralix I was pointing to. So I'm curious which is the difference with yours?

 

[nango]

Thanks.
your suggestion was really helpful.

 

[factor]

csf/ ldf all the way..

 

[eva2000]

??? From your site

Seems to me you're using the same installation and same brute-force script from Poralix I was pointing to. So I'm curious which is the difference with yours?

the IPSET stuff after CSF BFM install

 

[Richard G]

That's a good one.
I'm going to take a deeper look into ipset if that indeed can do what it says, thank you.

Edit: Had a look at it and it seems your explanation is not completely correct:

To further optimise CSF Firewall’s ability to handle larger sets of blocked IP addresses without slowing down your server,

As far as I could read it in the quick, the "without slowing down" is only in effect when adding the list of ipranges to block.

However, the iptables list will grow by this, using resources which will eventually slow down the server. So one still has to watch out not to block too much, correct?

 

[eva2000]

However, the iptables list will grow by this, using resources which will eventually slow down the server. So one still has to watch out not to block too much, correct?

yes resources are NOT unlimited so will increase as you block more ips but IPSET can handle magnitudes more than without

https://www.spinics.net/lists/netfilter/msg56265.html

On Tue, 25 Aug 2015, Akshat Kakkar wrote:

> As per info in
> http://lists.netfilter.org/pipermail/netfilter/2005-September/062859.html,
> ipset of iphash of 20Million IPs, takes around only 80MB. I understand
> that this might be simply multiplication of 20Million with 4 bytes which
> IP takes if stored normally.
>
> But when I try to replicate this I am getting size in memory as
> 506,481,176 (around 483MB) for number of entries 16,581,375.
>
> This comes to around 30Bytes per IP.
>
> I have got this values from ipset -L command
>
> Is this much size anticipated?

At that time we had ipset 2.x - now it's 6.x. The algorithm behind the
hash types has been completely rewritten since then and memory had been
sacrified for the sake of speed. So that number does not apply to the
current ipset memory usage.

The memory requirement for the hash types depends on the hashsize (H) and
the number of elements (N) and it is something like (not counting some
basic fixed structures):

H * 40byte + (N/4 + N%4) * 4 * element size

The RCU support also increased significantly the memory requirement.

Best regards,
Jozsef

https://blog.manasg.com/fun-with-ipset-and-iptables/

TLDR
IPSet is an extension of IPTables which can give significant performance gains as well as simplify configuration. perf top showed 10-30% CPU overhead for IPTables in my setup. It was negligible with IPSet.

 

[Richard G]

That makes it still interesting indeed.
I'm curious what other admins think of this. Because if it's that good, I can't imagine there aren't a lot more admins using it.
Going to try this out if the Chinese and Russians start their crap again in big time attacks.

Just one question. We also have Centos 6 servers. They are playing together with the Centos 7 servers by using the cluster option. If ipset will be enabled (has to be on all 3 servers in that case), will there be no issues with the cluster setup?

 

[eva2000]

That makes it still interesting indeed.
I'm curious what other admins think of this. Because if it's that good, I can't imagine there aren't a lot more admins using it.
Going to try this out if the Chinese and Russians start their crap again in big time attacks.

Just one question. We also have Centos 6 servers. They are playing together with the Centos 7 servers by using the cluster option. If ipset will be enabled (has to be on all 3 servers in that case), will there be no issues with the cluster setup?

only way to know for sure is try it Pretty sure most admins just take it as a given to use IPSET where possible ?

I've been using IPSET for years with servers which have Linux Kernel IPSET support with CentOS and CSF Firewall for all my servers which are non-OpenVZ based (OpenVZ 2.6.x kernels don't support IPSET)

 

[zEitEr]

Yes, the install.sh script does not enable IPSET by default, we enable IPSET manually whenever it's possible and required.
With IPSET we use:

DENY_IP_LIMIT = "1000"
DENY_TEMP_IP_LIMIT = "1000"

@Richard,

according to https://www.abuseipdb.com/statistics Russia takes only 6th place after China, United States, France, Brazil, India by the number of reported IPs.

Please do not use offensive words in posts here.

 

[ikkeben]

You better also put some on block / blacklist email comming from Nigeria before a lot of ... mails where comming from there , i don't know maybe now less. When we decided to block them that time less ... mails asking for money.

 

[Richard G]

DENY_IP_LIMIT = "1000"
DENY_TEMP_IP_LIMIT = "1000"

We already use this setting without ipset and no issues until now.

Statistics may show that Russia is at 6th place after China and the US, but the fact on our servers is that most attacks on our servers are coming from China, Ukraine, Russia and India. Also US but a lot less. And regularly from OVH, mostly from France. Ukraïne is reaching top next to China at the moment on our servers.
The statistics are an avarage from all over the world, it can differ per region or servers. And it also differs per month. China is nr. 1 anyway on our servers, almost always.

Please do not use offensive words in posts here.

I did not use any offensive words here. The word "crap" is a normal English word as far as I know, and an alias from "nonsens". Seen it here lots of times. With crap I was pointing to the attacks, I can't see any offensive things in there. If you find something offensive, please explain what would be offensive. Because it's not my intention to post offensive words.

@ikkeben: At this moment it's fairly quiet from Nigeria on our servers. But it's always a variation. Top brute-forcers change all the time. So I'm sure Nigeria will reach the top too.


@Eva2000: As I read from zEiTEr they set it up when possible and required. At this moment we don't require it yet and with 1000 on both full and temp bans we don't have issues yet. Pity that you never tested the cluster if you're already using it for that many years. I would have thought more admins would use the cluster function.
I'll test it when I implement ipset.

 

[factor]

That makes it still interesting indeed.
I'm curious what other admins think of this. Because if it's that good, I can't imagine there aren't a lot more admins using it.
Going to try this out if the Chinese and Russians start their crap again in big time attacks.

Just one question. We also have Centos 6 servers. They are playing together with the Centos 7 servers by using the cluster option. If ipset will be enabled (has to be on all 3 servers in that case), will there be no issues with the cluster setup?

Richard I have been using IPset from the beginning.. It really popular on the other panel.. Its pretty much recommend and pointed out in the CSF install

https://configserver.com/cp/csf.html

http://ipset.netfilter.org/

from the Plugin

[FONT=&quot]This option allows you to use ipset v6+ for the following csf options:
CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER

ipset will only be used with the above options when listing IPs and CIDRs.
Advanced Allow Filters and temporary blocks use traditional iptables

Using ipset moves the onus of ip matching against large lists away from
iptables rules and to a purpose built and optimised database matching
utility. It also simplifies the switching in of updated lists

To use this option you must have a fully functioning installation of ipset
installed either via rpm or source from http://ipset.netfilter.org/

Note: Using ipset has many advantages, some disadvantages are that you will
no longer see packet and byte counts against IPs and it makes identifying
blocked/allowed IPs that little bit harder

Note: If you mainly use IP address only entries in csf.deny, you can increase
the value of DENY_IP_LIMIT significantly if you wish

Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ
containers even if it has been installed

If you find any problems, please post on forums.configserver.com with full
details of the issue
[/FONT]
[FONT=&quot]LF_IPSET = OffOn
[/FONT]

 

[Richard G]

Thank you Brent.
I already read that part of CSF. But as said, at this time we have 1000 blocks on each full and temp bans and no issues whatsoever.

It really popular on the other panel.

By many users of the other panel you mean. It's not installed by default there either and we never used it on cpanel. But it's good to hear it's popular.

Still various things are not clear to me:
1.)

Note: If you mainly use IP address only entries in csf.deny,

We use both csf.deny and csf.tempdeny, I don't see anything about tempdeny mentioned here and we use one as much as the other

2.) It's not clear to me if it works good with clustering and I'm not happy testing it without any experience on real live servers. At this moment I do not have a testing environment.

3.) I'm not native English so this confuses me:

some disadvantages are that you will
no longer see packet and byte counts against IPs and it makes identifying
blocked/allowed IPs that little bit harder

What exactly on identifying blocked/allowed ip's is getting harder? I do not even want to use allowed ip's except for the two people allowed to administer the server (owner and myself) and maybe some uptime tool.
How to they mean "makes identifying blockd ip's a bit harder"? Because they are not in csf.deny or what exactly is meant here?

It's not that I would give the impression to counter advise to use this. It's only that I'm critical on using things for myself which are not really needed yet and now quite known to me on live servers with customers.
Especially if they can block things.

 

[zEitEr]

With IPSET we use limits set to 1000 just because we don't need more, though it's possible on servers.

[offtopic]: The Cambridge dictionary https://dictionary.cambridge.org/dictionary/english/crap states the word as offensive, and here the word https://www.merriam-webster.com/dictionary/crap is marked as vulgar. It is very rude when translated to Russian. Don't know how much is it normal in the world, probably "stront" does not sound rude when it is used in a meaning of "uitgescheiden afvalstoffen van mens of dier".

 

[ikkeben]

[offtopic]: The Cambridge dictionary https://dictionary.cambridge.org/dictionary/english/crap states the word as offensive, and here the word https://www.merriam-webster.com/dictionary/crap is marked as vulgar. It is very rude when translated to Russian. Don't know how much is it normal in the world, probably "stront" does not sound rude when it is used in a meaning of "uitgescheiden afvalstoffen van mens of dier".

IN EU : FR: MERDE is kind of common use.

Sound is nice to, vulgar there hmm.

But agree country and languages could be difficult if on the edge for such!

 

[eva2000]

@Eva2000: As I read from zEiTEr they set it up when possible and required. At this moment we don't require it yet and with 1000 on both full and temp bans we don't have issues yet. Pity that you never tested the cluster if you're already using it for that many years. I would have thought more admins would use the cluster function.
I'll test it when I implement ipset.

Yeah test and see. I had 8GB VPS handle 10,000+ blocked IPs in a 1.5Gbps wordpress pingback layer 7 DDOS attack with CSF Firewall and IPSET in place. Overall cpu utilisation was around 40-45% for entire LEMP stack on a 4 cpu thread VPS.

 

[eva2000]

Yes, the install.sh script does not enable IPSET by default, we enable IPSET manually whenever it's possible and required.

yeah best not to as not all servers will be using Linux Kernels with IPSET support.