Debian/Linux – automatically block all connections from Russia and China

Debian/Linux – automatically block all connections from Russia and China

I had already published a comprehensive article about a firewall script that is supposed to prevent flooding attacks and port scans, among other things.

However, it is also possible to block entire countries from the outset – without IP lists. Of course, such IP lists would then no longer need to be updated.

The current usual suspects or uninvited guests are in most cases Russia, Belarus and China. For this reason I have adapted the script from the original post accordingly.

IPs from Russia, Belarus and China are automatically blocked in this example. However, an exception is made for IPs from Cloudflare. Since cronjobs are limited to 1 time per minute, the script uses a little trick whereby it runs for a maximum of 55 seconds. The last 5 seconds were left free to avoid overlaps.

If you want it even more “aggressive” you can use a lockfile.

All this is too complicated for you? You can installthe block script including the cronjob with this tutorial or book me via my contact form for a reasonable hourly rate.

Instructions

First we have to make sure that all needed packages are installed:

apt-get update && apt-get install -y sudo && apt-get install -y geoip-bin && apt-get install -y iptables && apt-get install -y whois && apt-get install -y iptables-persistent && apt-get install -y net-tools

After that we create the needed files, give file permissions and open the file.

touch /root/test.sh && touch /root/test.log && touch /root/testcc.txt && chmod 777 /root/test.log && chmod 777 /root/testcc.txt && chmod 777 /root/test.sh && nano /root/test.sh

In the file opened by nano we paste the following code. Attention the email address in the code should be changed.

#!/bin/bash
end=$((SECONDS+55))

while [ $SECONDS -lt $end ]; do

echo "Shellscript powered by lautenbacher.io"
echo $SECONDS
#bad countries RU CN BLR - limit 1
netstat -ant | egrep ':.*ESTABLISHED' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c > testcc.txt
sed 's/^[ t]*//' -i testcc.txt
sed '/^$/d' -i testcc.txt
while read c d; do
    if [[ $c > "0" ]]; then

bGF1dGVuYmFjaGVyLmlv=$(geoiplookup $d | awk -v ip="$d" '{FS=" "} {if($4 == "RU," || $4 == "CN," || $4 == "BLR,") {print 1}}')

 if [[ $bGF1dGVuYmFjaGVyLmlv = "1" ]]; then
echo "running geolookup"
bGF1dGVuYmFjaGVyLmlX=$(whois $d)
echo checking ip $d
geoiplookup $d

echo try to add ip $d to blocklist


whoisvar=0
if [[ "$bGF1dGVuYmFjaGVyLmlX" == *"CLOUDFLARE "* ]]; then
whoisvar=1
echo Cloudflare detected
fi

if [[ "$whoisvar" != 1 ]]; then
sudo iptables -I INPUT -s $d -j DROP
whois=$(whois $d)
hostvar=$(hostname)
mail -s 'Warning Message regarding '$d [email protected] <<< $d' bad country host exceeded the connection limit of 1'$whois
echo blocking $d
fi

 fi

   fi
done < testcc.txt

sleep 1
    :
done

I recommend everyone to test the script executability briefly and run the script manually:

/root/test.sh

If this worked we create the cronjob:

crontab -e

We add the following line:

*/1 * * * /root/test.sh > /dev/null 2>&1

With this everything is already done and the script fulfills its purpose.

Leave a Reply

Your email address will not be published. Required fields are marked *