I have a small Ubuntu 16.04 server set up on DigitalOcean, and I’m working on securing it as much as I can. As there’s no reason anyone from outside the country should be accessing it, I’ve been slowly gathering unwanted IP’s from various sources (IPdeny, Spamhaus, and so on), putting them in an ipset block set, and adding that set to iptables with a DROP action. So far, so good, right?
Well, I’m also running psad for a bit of extra security, and here’s where I notice potential issues. Despite my ipset lists that are supposedly set up properly, psad still regularly gets hits from IP addresses that should be blocked. I am not sure if it’s picking up something that’s already been blocked by ipset, or if it’s something that made it through my blocklists somehow.
Would someone mind doing a sanity check on my iptables settings and tell me if I’ve got everything in the right place? The relevant parts are below - thanks!
root@m:~# iptables -S -P INPUT DROP -P FORWARD ACCEPT -P OUTPUT DROP -N MYBLOCKS -N PSAD_BLOCK_FORWARD -N PSAD_BLOCK_INPUT -N PSAD_BLOCK_OUTPUT … <<default ufw -N rules>> … -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -j MYBLOCKS -A INPUT -j PSAD_BLOCK_INPUT … <<default ufw -A rules>> … -A INPUT -j LOG --log-prefix "[IPTABLES] " --log-tcp-options -A FORWARD -j PSAD_BLOCK_FORWARD … <<default ufw forward rules>> … -A FORWARD -j LOG --log-prefix "[IPTABLES] " --log-tcp-options … <<default ufw output rules>> … -A MYBLOCKS -p tcp -m set --match-set myblockset1 src -j DROP -A MYBLOCKS -p tcp -m set --match-set myblockset2 src -j DROP -A MYBLOCKS -p tcp -m set --match-set myblockset3 src -j DROP -A MYBLOCKS -p tcp -m set --match-set myblockset4 src -j DROP … <<PSAD autoblocked IPs>> … <<remaining default UFW rules>>
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
Heya,
Is this the psad you are talking about: http://cipherdyne.org/psad/ ? This one seems like a monitoring system designed to gather info from iptables and display statistics and such and i’m guessing that it will display the ips from the blocklist as well as it is getting the data from iptables.
Regards, Alex