Debian/Linux – automatically block all connections from Russia and China
I had already published a comprehensive article about a firewall script that is supposed to prevent flooding attacks and port scans, among other things.
However, it is also possible to block entire countries from the outset – without IP lists. Of course, such IP lists would then no longer need to be updated.
The current usual suspects or uninvited guests are in most cases Russia, Belarus and China. For this reason I have adapted the script from the original post accordingly.
IPs from Russia, Belarus and China are automatically blocked in this example. However, an exception is made for IPs from Cloudflare. Since cronjobs are limited to 1 time per minute, the script uses a little trick whereby it runs for a maximum of 55 seconds. The last 5 seconds were left free to avoid overlaps.
If you want it even more “aggressive” you can use a lockfile.
All this is too complicated for you? You can installthe block script including the cronjob with this tutorial or book me via my contact form for a reasonable hourly rate.
Instructions
First we have to make sure that all needed packages are installed:
apt-get update && apt-get install -y sudo && apt-get install -y geoip-bin && apt-get install -y iptables && apt-get install -y whois && apt-get install -y iptables-persistent && apt-get install -y net-toolsAfter that we create the needed files, give file permissions and open the file.
touch /root/test.sh && touch /root/test.log && touch /root/testcc.txt && chmod 775 /root/test.log && chmod 775 /root/testcc.txt && chmod 775 /root/test.sh && nano /root/test.shIn the file opened by nano we paste the following code. Attention the email address in the code should be changed.
#!/bin/bash
end=$((SECONDS+55))
while [ $SECONDS -lt $end ]; do
echo "Shellscript powered by lautenbacher.io"
echo $SECONDS
#bad countries RU CN BLR - limit 1
netstat -ant | egrep ':.*ESTABLISHED' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c > testcc.txt
sed 's/^[ t]*//' -i testcc.txt
sed '/^$/d' -i testcc.txt
while read c d; do
if [[ $c > "0" ]]; then
bGF1dGVuYmFjaGVyLmlv=$(geoiplookup $d | awk -v ip="$d" '{FS=" "} {if($4 == "RU," || $4 == "CN," || $4 == "BLR,") {print 1}}')
if [[ $bGF1dGVuYmFjaGVyLmlv = "1" ]]; then
echo "running geolookup"
bGF1dGVuYmFjaGVyLmlX=$(whois $d)
echo checking ip $d
geoiplookup $d
echo try to add ip $d to blocklist
whoisvar=0
if [[ "$bGF1dGVuYmFjaGVyLmlX" == *"CLOUDFLARE "* ]]; then
whoisvar=1
echo Cloudflare detected
fi
if [[ "$whoisvar" != 1 ]]; then
sudo iptables -I INPUT -s $d -j DROP
whois=$(whois $d)
hostvar=$(hostname)
mail -s 'Warning Message regarding '$d [email protected] <<< $d' bad country host exceeded the connection limit of 1'$whois
echo blocking $d
fi
fi
fi
done < testcc.txt
sleep 1
:
doneI recommend everyone to test the script executability briefly and run the script manually:
/root/test.shIf this worked we create the cronjob:
crontab -eWe add the following line:
*/1 * * * /root/test.sh > /dev/null 2>&1With this everything is already done and the script fulfills its purpose.
2 Antworten zu “Debian/Linux – automatically block all connections from Russia and China”
Would this also work for RedHat Linux? Looking at the code it seems pretty vanilla.
john
You should try it on a test server first.