• Linux, MIS, and Automatic IP Blocking (A Solution)

    From Scott Street@1:266/625 to All on Mon Jul 1 07:51:13 2024
    Hello fellow Mystic Sysops,

    I'm a recent convert. I've been running Mystic for about a month now and finally connected to Fidonet (again). What sold me on Mystic was the servers control and the automatic IP blocking; in the last few weeks of having telnet and ssh ports available to the world; my deny list has reached nearly 1700 entries. I'm sure your systems are even greater.

    However, 'iptables' requires root privileges, and I didn't want to create a security issue (perceived or actual) by marking iptables as SUID or creating a SUID script that the mystic account could run. So I came up with this solution.

    -- MIS Event --
    Type : IP Blocked
    Shell: /home/mystic/mystic/mystic-firewall-add.sh @IP@
    (and so on)


    -/home/mystic/mystic/mystic-firewall-add.sh-
    #!/bin/bash
    logger "Mystic Firewall: queueing ${1}"
    echo $1 | cat >> /home/mystic/mystic/semaphore/iptables.add
    -eof-


    Now to make the root priviledges work, I add a cron job that runs every 5 minutes, collecting the new addresses queued into the iptables.add, and run iptables to actually block them.
    -cron entry-
    # Mystic Firewall IP Blocker
    */5 * * * * /root/jobs/checkMysticFW.sh >/dev/null
    -eof-

    -/root/jobs/checkMysticFW.sh-
    #!/bin/bash
    if [ -f /home/mystic/mystic/semaphore/iptables.add ]; then
    IPS=`cat /home/mystic/mystic/semaphore/iptables.add`
    rm /home/mystic/mystic/semphore/iptables.add

    for IP in $IPS
    do
    logger "Firewall update: Adding $IP to INPUT DROP"
    /usr/sbin/iptables -A INPUT -s $IP DROP
    done

    /usr/sbin/netfilter-persistent save
    RS=$?
    if [ $RS -eq 0 ]; then
    logger "Firewall Rules saved"
    else
    logger "**WARNING** Firewall Rules failed to save - Res: $RS"
    fi
    fi
    -eof-

    So the basic flow of this process.
    1) MIS decides to block a given IP because it violates the connection attempt rules set in the individual server configuration table.
    2) MIS executes the "IP Blocked" event, which adds the IP to the list
    3) Every 5 mins, the cron job runs and adds all the queued IPs to the iptables input filter, and after the new list of IPs have been added, makes them persistent across restarts with netfilter-persistent.

    You can track the activity of this process using your system log - journalctl for me, I'm on Debian 12 (bookworm).

    I hope you find this useful, especially those of you running some flavor of Linux. Also: some filename and directories have been changed from my actual to
    simplify this message.

    Scott Street (1:266/625@fidonet)
    Netmail private questions are welcome, and of course Echomail replies as well.


    --- MBSE BBS v1.0.8.4 (Linux-x86_64)
    * Origin: Agency HUB, Dunedin - New Zealand (1:266/625@fidonet)
  • From Christian Sacks@2:250/5 to Scott Street on Tue Jul 2 13:59:18 2024
    On 01 Jul 2024, Scott Street said the following...

    So the basic flow of this process.
    1) MIS decides to block a given IP because it violates the connection attempt rules set in the individual server configuration table.
    2) MIS executes the "IP Blocked" event, which adds the IP to the list
    3) Every 5 mins, the cron job runs and adds all the queued IPs to the iptables input filter, and after the new list of IPs have been added, makes them persistent across restarts with netfilter-persistent.

    You can track the activity of this process using your system log - journalctl for me, I'm on Debian 12 (bookworm).

    I hope you find this useful, especially those of you running some
    flavor of Linux. Also: some filename and directories have been changed from my actual to simplify this message.

    I think on the whole this is a nice approach, however what happens when Mystic accidentally blacklists your own IP, or it'self? Then you have iptables blocking you out and you won't be able to get back in =)

    Can you modify that to only block on the ports you have for telnet/ssh to the BBS (assuming SSH to the bbs is different to SSH to the cli).

    .... Redundant book title: DOS For Dummies


    --- MBSE BBS v1.0.8.4 (Linux-x86_64)
    * Origin: Agency HUB, Dunedin - New Zealand (2:250/5@fidonet)
  • From Scott Street@1:266/625 to Christian Sacks on Wed Jul 3 06:29:18 2024
    On 02 Jul 2024, Christian Sacks said the following...
    I think on the whole this is a nice approach, however what happens when Mystic accidentally blacklists your own IP, or it'self? Then you have iptables blocking you out and you won't be able to get back in =)

    Understood, and Mystic already has a solution built-in. Just be sure to add the addresses you commonly connect from to the mystic/data/allowlist.txt; that way the system will never lock you out. And, if you are using the 4 connections in 120 secs suggested setting, the likelihood of locking yourself out is pretty small. (unless of course your are testing ssh settings and you keep trying options that fail..., ask me how I know?!? :) )


    --- MBSE BBS v1.0.8.4 (Linux-x86_64)
    * Origin: Agency HUB, Dunedin - New Zealand (1:266/625@fidonet)
  • From Christian Sacks@2:250/5 to Scott Street on Wed Jul 3 20:41:35 2024
    On 03 Jul 2024, Scott Street said the following...

    fail..., ask me how I know?!? :) )

    We've _all_ been there. :')

    .... I have a really good memory, except it's short.


    --- MBSE BBS v1.0.8.4 (Linux-x86_64)
    * Origin: Agency HUB, Dunedin - New Zealand (2:250/5@fidonet)