Detailed explanation of how to batch block malicious IP addresses under Linux to prevent attacks

In many cases, you may need to block IP addresses under Linux. For example, as an end user, you may want to be protected from spyware or IP tracking. If you are a system administrator, you may want to ban spam IP addresses from accessing your corporate mail server. Or you want to ban certain countries from accessing your web service for some reason. In many cases, however, your IP address blocking list can quickly grow to tens of thousands of IPs. How to deal with this?

Solution: ipset + iblocklist2ipset

Installation:

Official website: http://ipset.netfilter.org/install.html

The simplest method is yum installation, but the version of this method is relatively low and lacks some module parameters, so it is not recommended;

yum install ipset -y

Compile and install:

1. Dependency environment:

yum install libmnl libmnl-devel kernel-devel libtool-devel -y

(Installation method of new version: git pull git://git.netfilter.org/libmnl.git run ./autogen.sh)

(Note: If only When installing libmnl, the following error will appear:

checking for libmnl... configure: error: Package requirements (libmnl >= 1) were not met:
No package 'libmnl' found
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
Alternatively, you may set the environment variables libmnl_CFLAGS
and libmnl_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.
)

During compilation, it may be prompted that /lib/modules/2.6.32-431.el6.x86_64/source

After investigation Found that this soft link /lib/modules/2.6.32-431.el6.x86_64/build -->/usr/src/kernels/2.6.32-431.el6.x86_64 does not exist

Solution : Re-establish the soft connection

ln -sb /usr/src/kernels/2.6.32-573.3.1.el6.x86_64 /lib/modules/2.6.32-431.el6.x86_64/build

An error message is reported when running ./autogen.sh:

Cannot find /usr/share/libtool/

Solution: Install libtool- devel tool package can be yum install libtool-devel

2. Compile and install ipset (linux kernel source code (version >= 2.6.32))

wget -P /usr/local/src http://ipset.netfilter.org/ipset-6.26.tar.bz2
cd /usr/local/src && tar xjf ipset-6.26.tar.bz2 && cd ipset-6.26
./autogen.sh
./configure
make
make modules
make install 
make modules_install

Note: Different Linux kernels use different Version source code package

Note: linux kernel source code (version >= 2.6.16 or >= 2.4.36)

Compile and install:

wget -P /usr/local/src http://ipset.netfilter.org/ipset-4.5.tar.bz2
cd /usr/local/src && tar xf ipset-4.5.tar.bz2 && cd ipset-4.5
make KERNEL_DIR=http://img.xue163.com/lib/modules/$(shell uname -r)/build     #$(shell uname -r)使用shell命令获取
make KERNEL_DIR=http://img.xue163.com/lib/modules/$(shell uname -r)/build install

Commonly used Command:

ipset list 查看ip集列表信息
ipset create pythontab hash:ip maxelem 1000000  创建一个IP集pythontab，指定类型为hash:ip，设置ip集最多存储IP数为1000000
ipset add pythontab X.X.X.X  增加一个ip地址到IP集pythontab中去
ipset add pythontab X.X.X.X/24  增加一个网段到IP集pythontab中去
ipset dell pythontab X.X.X.X   删除IP集中指定的IP地址
ipset list 查看当前所有list
ipset save pythontab -f pythontab.txt  将IP集pythontab中的信息保存到当前文件目录下面的文件pythontab.txt中
ipset destroy pythontab   删除指定的IP集pythontab  
ipset restore -f pythontab.txt  将保存的pythontab.txt文件中的IP集信息重新导入到ipset中
其他命令参考 ipset --help
iptable命令参考：
iptables -I INPUT -m set --match-set pythontab src -p tcp --destination-port 80 -j DROP #拒绝ipset IP集pythontab中的地址访问服务器的80端口
service iptables save
service iptables restart

Automatic IP address disabling

Now you should see the power of IP collection. Maintaining IP blacklist is a tedious and time-consuming task. In fact, there are many free or. There are paid services that can do this for you. As an added bonus, let's see how to automatically add an IP blacklist to an IP set

Let's get the free blacklist from iblocklist.com#.

##Next I will use an open source Python tool called iblocklist2ipset to convert the blacklist into an IP set.

First, you need to install pip

Use the following command to install iblocklist2ipset.

$ pip install iblocklist2ipset

On some distributions such as Fedora, you may need to run:

$ python-pip install iblocklist2ipset

Now go to iblocklist.com and grab the URL of any P2P list (such as the "level1" list).

Download and unzip it, then save it as a txt file, for example, called pythontab.txt. Because iblocklist2ipset only supports url to obtain the list, put pythontab.txt in any directory of your website. For example: ipset directory

$ iblocklist2ipset generate --ipset pythontab "http://www.pythontab.com/ipset/pythontab.txt" > pythontab.txt

After running the above command, you will get a file named pythontab.txt. If you view its contents, you will see something like this:

create pythontab hash:net family inet hashsize 131072 maxelem 237302
add pythontab 1.2.4.0/24
add pythontab 1.2.8.0/24
add pythontab 1.9.75.8/32
add pythontab 1.9.96.105/32
add pythontab 1.9.102.251/32
add pythontab 1.9.189.65/32

You can load this file with the following ipset command:

$ ipset restore -f pythontab.txt

You can now view the automatically created IP set:

$ ipset list pythontab

This saves you the trouble of manual management.

Note that the version installed using yum under centos is not the latest version. It may not support the -f parameter and import the blacklist file, so it is recommended to use the source code package to install the latest version

The above is the detailed content of Detailed explanation of how to batch block malicious IP addresses under Linux to prevent attacks. For more information, please follow other related articles on the PHP Chinese website!