[How-to] IPset Blocking with CSF

1

Hi guys, many of you are already using CSF instead of stock iptables/fail2ban Hestia bundle.

Lupu did pretty decent job with firewall ipset integration in Hestia v1.2.0.

If you would like to achieve the very same functionality plus a lot more, then follow the below step-by-step tutorial, so that you don’t have to reinvent the wheel and/or say goodbye to CSF, but rather use its full potential.

Prerequisities:

  • Installed CSF
  • Installed ipset (apt install ipset)

Steps to enable IPset Blocking in CSF:

  1. nano /etc/csf/csf.conf
  2. Change “LF_IPSET” to “1”
  3. nano /etc/csf/csf.blocklists
  4. Append the below snippet
  5. csf -ra

CSF IPset Blocking snippet:

# Lupu’s Blacklists
PROJECTHONEYPOT|86400|0|https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1
TOREXITNODES|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
MAXMINDGEOIP|86400|0|Sample List of High Risk IP Addresses | MaxMind
BRUTEFORCES|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php
SPAMHAUS|86400|0|https://www.spamhaus.org/drop/drop.lasso
CIARMY|86400|0|https://cinsscore.com/list/ci-badguys.txt
BLOCKLISTDE|86400|0|https://lists.blocklist.de/lists/all.txt
GREENSNOW|86400|0|https://blocklist.greensnow.co/greensnow.txt
FIREHOL|86400|0|https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
STOPFORUMSPAM|86400|0|https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_7d.ipset

You can now say goodbye to bruteforcers & spammers.
Don’t forget to share this tuto as well as Hestia among your sysadmin friends :smiley:

  • CSF + IPset
  • Using Hestia’s firewall bundle
0 voters
1 Like
2

Thanks for the info.

I think that the sources of bad IPs can be improved, e.g. the ProjectHoneypot RSS offers only 25 IPs (even after registering), Tor traffic isn’t by default malicious, one could add SpamHaus EDROP in addition to DROP etc.

A quick and easy way would be to use the 3 levels (level 1-3) provided by FireHOL, which in my case (even after blocking several whole countries) still only blocks 50-75% of the malicious traffic.

PS: Regarding your poll, I’m using neither CSF nor HestiaCP’s built-in firewall. Instead I’m using custom iptables + ipsets (geoip and various blacklists) + hashlimit module. But I will re-evaluate CSF in the near future to see if it might suit me.

1 Like
3

Great, thanks for input, kpv!

Would you mind sharing all of your blacklists?

Thanks.

4

As I wrote above, I use the 3 meta-lists from FireHOL (level 1-3):

However, when using these ipsets, I usually exclude the IPs of my own country and several other whitelisted ranges (e.g. Cloudflare, Gmail etc)

1 Like
5

AWS list is also a good one to block, though takes a little bit of scripting to update the list, primarily due to the list format.
https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
Full of idiot hacking attempts and general scanning.

1 Like
6

@AlwaysSkint - Thanks for the list!

Actually with CSF - you don’t need to perform any scripting to parse this blacklist.
Parsing will be done automagically using CSF’s inbuilt parser.

Try it for yourself and let us know :slight_smile:

7

@martineliascz
Yeah? I run it through a script on one of my servers to get a simple text list of IPs, then add that to the bottom of csf.blocklists, for my other VPS/servers. The problem being that it also blocks the source of the list (being as it’s AWS)! So I temporarily exclude AWS, retrieve the list, then block it.
Note: some silly network uptime monitors use AWS for their agents. :-\

8

@AlwaysSkint - Yeah. It seems to me like you are reinventing the wheel here (via scripting). No need to do it with CSF, as it’s in my opinion best firewall ever (for VPS at least) and already offers all of those handy features.

Just append the following line & you are all set, no need to do any scripting:

  • AWS|86400|0|https://ip-ranges.amazonaws.com/ip-ranges.json
1 Like
9

@martineliascz
Never thought to try it, as it never crossed my mind CSF would parse the json.
Will give it a bash, thanks!

P.S. I’ve used CSF for over 15 years on WHM/cPanel, so there’s no need to convince me, at least. :smiley: Likewise mod_sec.

csf: IPSET creating set bl_AWS
DROP all opt – in * out * 0.0.0.0/0 → 0.0.0.0/0 match-set bl_AWS src
csf: IPSET creating set bl_6_AWS
DROP all opt in * out * ::/0 → ::/0 match-set bl_6_AWS src
AWS all opt – in !lo out * 0.0.0.0/0 → 0.0.0.0/0
AWS all opt in !lo out * ::/0 → ::/0

After a few CSF restarts, I’m not convinced it is parsing it. Here’s using my method:

csf: IPSET creating set bl_AWSIP
DROP all opt – in * out * 0.0.0.0/0 → 0.0.0.0/0 match-set bl_AWSIP src
csf: IPSET creating set bl_6_AWSIP
DROP all opt in * out * ::/0 → ::/0 match-set bl_6_AWSIP src
csf: IPSET loading set bl_AWSIP with 1863 entries
csf: IPSET loading set bl_6_AWSIP with 0 entries
AWSIP all opt – in !lo out * 0.0.0.0/0 → 0.0.0.0/0
AWSIP all opt in !lo out * ::/0 → ::/0

Admittedly IPv6 doesn’t appear to be added but I don’t tend to use v6 (yet), so hasn’t bothered me.

10

Tested AWS list with IPv4 and it was working for me.

1 Like
11

@AlwaysSkint - Furthermore you can check: /var/lib/csf/csf.block.AWS

Also issue: “ipset list” in terminal - this is what you should get (if IPv6 is disabled in CSF):
Name: bl_AWS
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 59736
References: 1
Number of entries: 2009
Members:
ip_addresses

12

Is this still working today?

13

Yes. Also implemented directly in the panel…