CentOS 7: ban bad IPs and networks with FirewallD
Couple days ago, I have stumbled upon a DDoS attack with a server I’ve been managing. Few dozens of IPs have been repeatedly accessing the least cacheable pages causing server strain.
If you were in a similar situation, you ask yourself what can you do?
Let’s block the bad guys with the power of CentOS 7 standard firewall — FirewallD.
Meet FirewallD
CentOS 7 comes with new firewall — FirewallD. It is actually a wrapper for iptables. FirewallD allows you to manage firewall rules using the concept of zones.
If you haven’t already, install it, run it and enable at boot time.
sudo yum -y install firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld
Investigate the bad guys
I took a few sample IPs which were hitting the server like crazy and used whois
utility to find out network information.
whois 95.211.246.234
Doing the same for all of those IP addresses I could see what was in common for them — the provider. Each whois
output had this at the bottom:
route: 95.211.0.0/16
descr: LEASEWEB
origin: AS60781
remarks: LeaseWeb
mnt-by: LEASEWEB-NL-MNT
created: 2014-03-11T14:28:00Z
last-modified: 2015-09-30T23:00:04Z
source: RIPE
The LeaseWeb, being a VPS provider, has no genuine website users coming from it. So is fine to be blocked.
In all probability, someone rented servers with them and used this for the bad cause.
Understand the drop FirewallD zone
By default, Firewalld comes with several predefined zones. I won’t go into details about them, but rather say that there is convenient drop
zone. Its description:
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
This is just what we want. Accept no packets from those bad networks, yet still have ability to talk to them, e.g. in case there is a server at LeaseWeb that hosts a useful API endpoint, etc.
FirewallD also supports ipsets for efficient storage of many IP addresses and networks. While we’re going to block only one network in our example, it’s good to learn how to leverage ipsets for the task. This will come in handy when we want to block lots and lots of IP addresses further.
Ban Them All.
Let’s get started and create our ipset which will contain all the IP networks we want to block:
firewall-cmd --permanent --new-ipset=networkblock--type=hash:net --option=maxelem=1000000 --option=family=inet --option=hashsize=4096
firewall-cmd --reload
Now we add an entry to our ipset:
firewall-cmd --ipset=networkblock--add-entry=95.211.0.0/16
firewall-cmd --reload
And finally, let’s add our ipset to drop zone:
firewall-cmd --permanent --zone=drop --add-source=ipset:networkblock
firewall-cmd --reload
As you see, the commands are quite readable and you can easily add more bad networks for banning someone else. You will only need two lines:
firewall-cmd --ipset=networkblock--add-entry=142.4.192.0/19
firewall-cmd --reload
If you are very picky or know for sure that the offender is coming from a single IP, just use /32
network (which corresponds to a single IP):
firewall-cmd --ipset=networkblock--add-entry=1.2.3.4/32
firewall-cmd --reload
That’s about it for today. Happy Internet wars :)
Originally published at GetPageSpeed.