Filter Options

The number of filters is limited only by the resources available in Bash. Multiple line-wise searching through logfiles can easily try your patience given large files. You can optimize your search with more complex expressions and by regularly calling a logrotate script. At the end of iterating through all the filter rules, all IP addresses that were found are now stored in the ${IPS} variable. Each result that does not look like an IPv4 address is again subjected to targeted filtering (Listing 1, line 158). Sorting and counting multiple identical entries produces the data basis for further steps. Entries that occur less frequently than the number value in ${BLOCK_IP_THRESHOLD} will not be blocked and can be removed directly from the collection.

The first stage blocks all IP addresses that still exist in this list (lines 161 to 163). The insert_rule helper function adds the BLOCK_IP rule to the chain. In the second stage (lines 168 to 173), the script now sends all IP addresses as a bulk request to the IP-to-ASN service offered by Team Cymru. The prefixes listed in the reply are sorted and counted in line 173. If a prefix occurs less frequently than the value in the variable ${BLOCK_PREFIX_THRESHOLD}, it is removed. All remaining prefixes are then added to the BLOCK_PREFIX chain, and because the entries in the BLOCK_IP chain are no longer necessary, they are removed (lines 175 to 183).

The third optional stage of the script now checks for the occurrence of different prefixes of a single AS. For this, the script again uses the results from querying the IP-to-ASN service and this time filters and counts the ASNs from the return (line 188). If an AS occurs at least as often as configured in the ${BLOCK_ASN_THRESHOLD} variable, it then searches for all available prefixes belonging to this AS using the service provided by the University of Bonn and adds them one by one to the BLOCK_ASN chain (lines 190 to 198). Similarly, it removes the corresponding rules from the BLOCK_PREFIX chain, so they are not duplicated.

The end of the script removes the outdated entries from the chain if the iptables comment module is available (lines 203 to 212). The threshold value for removing the old entries is configured in the variable ${UNBLOCK_TIME}, which indicates the delta to the last insertion in seconds. Without the comment module, the entries disappear as soon as the IP addresses no longer appear in the logfile itself.

To update the packet filter regularly, run the script periodically as a cron job. Depending on the attack frequency, intervals of once a minute to every quarter of an hour makes sense. Regularly running logrotate prevents large logfiles and obsolete entries in the packet filter.

Conclusions

In this article, I described the structure of a script for restrictive automatic updates of the Linux packet filter based on free definable filter rules. When using tools for automatic adjustments, it is important to maintain your white lists or emergency rules that still allow the administrator access to the remote server system.