I'm trying to protect my mailserver from cn, ru, etc botnets. Would like to use ipset with iptables to block countries by CIDR network addresses, but can't get it to work with the kernel I'm on (3.5.2-linode45).

Messing with the kernel is over my head...can anyone walk me through getting it working? I'm comfortable with the ipset/iptables stuff once I can get ipset to run (been playing on a local machine.)

Thanks,

-Bart

I've never used ipset but on Ubuntu with iptables command I do this to ban 1 IP or a whole CIDR:

# banip.sh
#!/bin/sh

iptables -I INPUT -s $1 -j DROP
# that ^^^ line with a -D will remove a banned IP or CIDR
iptables-save -c > /etc/iptables.rules
exit 0

Then in use:

# call banip.sh for 1 IP
banip.sh 44.55.66.77

# call banip.sh for 256 IPs probably a small ISP
banip.sh 44.55.44.0/24

# call banip.sh for class B probably a large ISP
banip.sh 44.55.0.0/16

You can find out (usually) what the IP range is for an offending IP using whois on the IP. Sometimes the CIDR is listed. Sometimes just the range is listed so you can use free tools to find the actual CIDR. It might end up being something odd like 44.55.27.11/21.

None of those examples are correct, just showing what the format looks like. /16 is for a Class B though and /24 for Class (I think it's C).

Look online for sites that offer freely downloadable databases of known offending IPs and CIDR ranges.

Class B! Man, that's old-school stuff right there.

First, be advised that there is no relationship between source IP address and country of origin. Humans have evolved to detect patterns, even ones that aren't there, and that's what we've done with this whole "geolocation" concept. Also, there are ethical and moral implications for blocking entire countries.

That said, what exactly is ipset, and what exactly is it doing when it doesn't work?

_________________

/* TODO: need to add signature to posts */

Thanks, guys. Here's the backstory: another of my client's email accounts got hacked yesterday. Between about 1:30am and 9am, 22115 emails were sent through her account from 9351 unique IP addresses; most only sent one or two, and most of these addresses appear to be in eastern Europe and the far east. I run fail2ban on password failures, but that's not effective against these botnets because while a single IP may only attempt a couple times a day, the total number of attempts on an account in a day can be in the thousands.

My plan is to block countries' CIDR blocks using ipdeny's (http://www.ipdeny.com/ipblocks/) zone files for the countries to block. Even after aggregating the zone files with a perl script (from http://zwitterion.org/software/aggregat ... addresses/), the list is very big. Enter ipset, which provides a way to give iptables a hashed lookup mechanism for these large blocks of addresses. I want to do it this way for performance reasons and to keep my iptables config manageable as I will also continue to use fail2ban.

When trying to use ipset (apt-get install xtables-addons-common) I get this:

ipset v4.2: Kernel ip_set module is of protocol version 6.I'm of protocol version 4.
Please upgrade your kernel and/or ipset(8) utillity.

Then if I install just ipset (apt-get install ipset) I get this:

ipset v2.5.0: ipset kernel/userspace version mismatch
Perhaps ipset or your kernel needs to be upgraded.

help?

Thanks,

-Bart

Why not just fix the actual problem? Either your client is using a weak password, or they aren't keeping it a secret. This is not a problem iptables can fix.

_________________

/* TODO: need to add signature to posts */

I understand your sentiment, but I disagree about whether iptables can be a part of the solution to the problem. In this particular case, there's no evidence that her account was bruteforced; I don't believe she would have knowingly shared it, but who knows?

I know this: in the last 30 hours there have been 647 failed attempts on her account, from 601 unique IP addresses (details here: http://pastebin.com/R3hNXP79). There hadn't been a single failed attempt in the previous month before the botnet sent 22115 emails from 9351 unique addresses (details here: http://pastebin.com/zMdyt1u9). A whois lookup on a sample of these addresses seems to show that the vast majority of them are from a small number of countries.

I will appreciate anyone's advice about getting ipset working with iptables on my Debian Squeeze linode.

Thanks,

-Bart

Run a stock Debian kernel.

Excellent! Thank you, Vance; that's all I needed.

Did as described, looks good, testing now.

Regards,

-Bart