Firewallscript zum FTP-Bruteforce-Attacken blocken

Aus wiki.shutdown-system.de
Wechseln zu: Navigation, Suche

Hier ist nun ein kleines Firewallscript. Mit diesem Script kann man Bruteforce-Attacken für FTP loggen und auch blocken. Einfach Script kopieren, entsprechend anpassen und starten.


\\

  #!/bin/sh
  #
  # description: Enable iptables Firewalling
  #		
  # processname: iptables
  # config: /etc/init.d/firewall
  #
 
  # SET FWDEBUG=0 TO MAKE IT WORK!
  FWDEBUG=0
 
  NAME=iptables
  DESC="stateful firewall"
 
  # where is iptables?
  IPT=/sbin/iptables
 
  # where is modprobe?
  IM=/sbin/modprobe
 
  # where is rmmod?
  RMM=/sbin/rmmod
  TABLES="filter nat"
 
  # insert here your interface
  MAIN_IF="eth1"
 
  # here you can set trusted ip's or net
  TRUSTED="xxx.xxx.xxx.xxx"
 
 
  if [ "$FWDEBUG" = "1" ]; then
          IPT="echo $IPT"
          IM="echo $IM"
          RMM="echo $RMM"
  fi
 
 
  case "$1" in
    start)
      [ "$FWDEBUG" = "1" ] && \
      	echo "NOT Starting $DESC. The following rules would be applied:" || \
      	echo -n "Starting $DESC: "  
 
      # load kernelmodules
      $IM ip_conntrack_ftp
 
      # proc stuff
      echo 0 > /proc/sys/net/ipv4/ip_forward
 
      # flush all and set the defaultpolicy
      $IPT -P FORWARD DROP
      $IPT -P INPUT DROP
      $IPT -P OUTPUT ACCEPT
      for tbl in $TABLES;do $IPT -t $tbl -F;$IPT -t $tbl -X;done
 
      # new chains
      $IPT -N clean
      $IPT -N in_main
      # new chain for ftp-logging
      $IPT -N FTP_CHECK
 
      # clean reject
      $IPT -A clean -p udp --dport 135:139 -j DROP
      $IPT -A clean -j LOG --log-prefix "rejected " -m limit --limit 1/sec
      $IPT -A clean -p tcp -j REJECT --reject-with tcp-reset
      $IPT -A clean -p udp -j REJECT --reject-with icmp-port-unreachable
      $IPT -A clean -j DROP
 
      # filter and sort INPUT
      $IPT -A INPUT -j DROP -m state --state INVALID
      # set INPUT for the FTP-Policy
      $IPT -A INPUT -p tcp --dport ftp -m state --state NEW -j FTP_CHECK
      $IPT -A INPUT -j ACCEPT -i lo
      $IPT -A INPUT -j in_main -i $MAIN_IF
 
      # main chain
      $IPT -A in_main -j ACCEPT -m state --state ESTABLISHED,RELATED
      $IPT -A in_main -j ACCEPT -p icmp ! --icmp-type redir
 
      # allow nrpe,ssh and snmp from TRUSTED
      for host in $TRUSTED
      	do $IPT -A in_main -j ACCEPT -p tcp --dport ssh -s $host
  	$IPT -A in_main -j ACCEPT -p udp --dport snmp -s $host
  	$IPT -A in_main -j ACCEPT -p tcp --dport nrpe -s $host
      done
 
      # INSERT YOUR OWN RULES HERE!
      # this Policy check FTP-Bruteforce attacks
      $IPT -A FTP_CHECK -m recent --set --name FTP
      $IPT -A FTP_CHECK -m recent --update --seconds 60 --hitcount 5 --name FTP -j LOG --log-prefix "FTP_Brute_Force: "
      $IPT -A FTP_CHECK -m recent --update --seconds 60 --hitcount 5 --name FTP -j DROP
      # now you can set your own rules
      $IPT -A in_main -j ACCEPT -p tcp --dport ftp
      $IPT -A in_main -j ACCEPT -p tcp --dport ssh
      $IPT -A in_main -j ACCEPT -p tcp --dport smtp
      $IPT -A in_main -j ACCEPT -p tcp --dport domain
      $IPT -A in_main -j ACCEPT -p udp --dport domain
      $IPT -A in_main -j ACCEPT -p tcp --dport http
      $IPT -A in_main -j ACCEPT -p tcp --dport https
      $IPT -A in_main -j ACCEPT -p udp --dport ntp
      $IPT -A in_main -j ACCEPT -p tcp --dport imaps
      $IPT -A in_main -j ACCEPT -p tcp --dport nrpe
 
      # terminate chain
      $IPT -A in_main -j clean
 
      # end of the rules
 
      [ "$FWDEBUG" = "1" ] && echo "PLEASE MODIFY $0" || \
      	echo "$NAME."
    ;;
 
    stop)
      echo -n "Stopping $DESC: "
      $IPT -P INPUT ACCEPT
      $IPT -P OUTPUT ACCEPT
      $IPT -P FORWARD ACCEPT
      for tbl in $TABLES;do $IPT -t $tbl -F;$IPT -t $tbl -X;done
      $RMM ip_conntrack_ftp
 
      echo "$NAME."
    ;;
 
    restart)
      $0 stop
      $0 start
    ;;
 
    status)
      for tbl in $TABLES; do
      echo "Statistics for table: $tbl"
      $IPT -t $tbl -nvL
      done
    ;;
 
    *)
      echo "Usage: $0 {start|stop|restart|status}" >&2
      exit 1
    ;;
  esac
  exit 0

Einfach in eine Datei schreiben, nach /etc/init.d/ kopieren und ausführbar machen:

 chmod +x /etc/init.d/firewall

z.B..

Dann nur noch starten:

 /etc/init.d/firewall start

Einen Status könnt Ihr auch erhalten:

 /etc/init.d/firewall status


Meine Werkzeuge