daniel/autofw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
18 commits 1 branch 0 tags 70 KiB
Find a file
Daniel Brahneborg 8b1c128a93 move source to src
2025-12-05 09:19:00 +01:00
src move source to src 2025-12-05 09:19:00 +01:00
.gitignore more files 2025-12-04 15:52:13 +01:00
LICENSE LICENSE 2025-12-04 15:36:37 +01:00
README.md README: clarified /16 block 2025-12-05 07:52:27 +01:00

README.md

AutoFW

This tool is inspired by fail2ban, but is simpler and less forgiving. You provide it with a list of whitelisted and blacklisted IP addresses and ranges, and its output is a list of commands to blacklist slightly larger IP ranges covering multiple IP addresses.

It assumes UFW for now.

Examples

  • For a.b.c.0 and a.b.c.1 you will get a block on a.b.c.0/31.
  • For a.b.c.0 and a.b.c.255 you will get a block on a.b.c.0/24.
  • You will also get a block on a.b.0.0/16, if there are at least 4 blacklisted IP blocks on the form a.b.z.0, for any z.

Building

First install some build tools. On Ubuntu you will run something like this:

  • apt-get install -y cmake libpcre2-dev make gcc

We use CMake.

  • cmake .
  • make

Some functions are perhaps overly general, but that is because they are taken directly from the EMG source code.

Usage

First you create a file autofw.whitelist, containing IP addresses and ranges that should always be allowed to connect to your server.

Then create a script that performs the tasks below. This can be run by cron.

  1. Collect all IP addresses and ranges to block into a new file, say autofw.badips. It may be a good idea to filter out entries in the whitelist.
  2. Run ufw insert 1 deny from $ip for each entry in autofw.badips. The ufw tool will automatically ignore duplicates.
  3. Collect all blacklisted addresses using the following command: ufw status verbose | grep DENY | awk '{print $4}' > autofw.blacklist
  4. Run ./autofw > ufw.updates.
  5. Run the ./ufw.updates script.
  6. Finally run ufw reload to activate the new rules.

Both the whitelist and blacklist can contain both individual IP addresses and ranges on the form a.b.c.d/e, where e is between 0 and 32. In our own installation at Braxo we also sort the list of bad IP addresses and remove duplicates, between steps 1 and 2. This way we can easily know if something has changed, or if we can just skip the rest of the steps.

To block machines trying to attack your SMTP server sending invalid commands, you can use a command such as the one below. Then simply add additional commands as needed, based on your own log files from whatever applications you are running.

cat /var/log/mail.log |
	grep 'non-SMTP command' |
	awk '{print $8}' |
	tr '[]' ' ' |
	awk '{print $2}' >> autofw.badips

If you run ufw insert 1 deny from x.y.z.w manually at some point, that IP will stay blocked. It will then possibly be merged with any of the other blocked IP addresses.

The output from ./autofw is a list of UFW commands. Here we assume we have blocked a.b.c.115 and a.b.c.116, and whitelisted e.f.g.h. The reason we first delete the rule for e.f.g.h and then add it back, is to make sure it comes first. This way whitelisted addresses can never be blocked.

yes | ufw delete deny from a.b.c.115/32
yes | ufw delete deny from a.b.c.116/32
ufw insert 1 deny from a.b.c.112/29
yes | ufw delete allow from e.f.g.h/32
ufw insert 1 allow from e.f.g.h/32

TODO

  • Dockerfile, for building x86 binaries on arm machines.
  • IPv6
  • Other firewall backends, such as raw iptables.