We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
[HowTo] Protect your VestaCP server with badIPs.com and report IPs with Fail2ban on Debian
[HowTo] Protect your VestaCP server with badIPs.com and report IPs with Fail2ban on Debian
Use the badIPs list
Define your security level and category
You can get the IP address list by simply using the REST API.
When you GET this URL : https://www.badips.com/get/categories
You’ll see all the different categories that are present on the service.
Second step, determine witch score is made for you.
Here a quote from badips that should help (personnaly I took score = 3):
If you'd like to compile a statistic or use the data for some experiment etc. you may start with score 0.
If you'd like to firewall your private server or website, go with scores from 2. Maybe combined with your own results, even if they do not have a score above 0 or 1.
If you're about to protect a webshop or high traffic, money-earning e-commerce server, we recommend to use values from 3 or 4. Maybe as well combined with your own results (key / sync).
If you're paranoid, take 5.
So now that you get your two variables, let's make your link by concatening them and grab your link.
Note: Like me, you can take all the services. Change the name of the service to "any" in this case.
The resulting URL is:
Let's create the script
Alright, when that’s done, we’ll create a simple script.
Put our list in a tempory file.
(only once) create a chain in iptables.
Flush all the data linked to our chain (old entries).
We’ll link each IP to our new chain.
When it’s done, block all INPUT / OUTPUT / FORWARD that’s linked to our chain.
Remove our temp file.
Now we create the script for that:
Enter the following content into that file.
When that’s done, you should create a cronjob that will update our blacklist.
For this, I used crontab and I run the script every day on 11:30PM (just before my delayed backup).
Don’t forget to chmod your script:
Now that’s done, your server/computer should be a little bit safer.
You can also run the script manually like this:
It should take some time… so don’t break the script. In fact, the value of it lies in the last lines.
Report IP addresses to badIPs with Fail2ban
In the second part of this tutorial, I will show you how to report bd IP addresses bach to the badips.com website by using Fail2ban.
Fail2ban >= 0.8.12
The reporting is made with Fail2ban. Depending on your Fail2ban version you must use the first or second section of this chapter.If you have fail2ban in version 0.8.12.
If you have fail2ban version 0.8.12 or later.
In each category that you’ll report, simply add an action.
As you can see, the category is SSH, take a look here (https://www.badips.com/get/categories) to find the correct category.
Fail2ban < 0.8.12
If the version is less recent than 0.8.12, you’ll have a to create an action. This can be downloaded here: https://www.badips.com/asset/fail2ban/badips.conf.
With the badips.conf from above, you can either activate per category as above or you can enable it globally:
Now restart fail2ban - it should start reporting from now on.
Statistics of your IP reporting
Last step – not really useful… You can create a key.
This one is usefull if you want to see your data.
Just copy / paste this and a JSON response will appear on your console.
Then go on badips website, enter your “key” and click “statistics”.
Here we go… all your stats by category.
Define your security level and category
You can get the IP address list by simply using the REST API.
When you GET this URL : https://www.badips.com/get/categories
You’ll see all the different categories that are present on the service.
Second step, determine witch score is made for you.
Here a quote from badips that should help (personnaly I took score = 3):
If you'd like to compile a statistic or use the data for some experiment etc. you may start with score 0.
If you'd like to firewall your private server or website, go with scores from 2. Maybe combined with your own results, even if they do not have a score above 0 or 1.
If you're about to protect a webshop or high traffic, money-earning e-commerce server, we recommend to use values from 3 or 4. Maybe as well combined with your own results (key / sync).
If you're paranoid, take 5.
So now that you get your two variables, let's make your link by concatening them and grab your link.
Code: Select all
http://www.badips.com/get/list/{{SERVICE}}/{{LEVEL}}
The resulting URL is:
Code: Select all
https://www.badips.com/get/list/any/3
Alright, when that’s done, we’ll create a simple script.
Put our list in a tempory file.
(only once) create a chain in iptables.
Flush all the data linked to our chain (old entries).
We’ll link each IP to our new chain.
When it’s done, block all INPUT / OUTPUT / FORWARD that’s linked to our chain.
Remove our temp file.
Now we create the script for that:
Code: Select all
cd /home/<user>/
vi myBlacklist.sh
Code: Select all
#!/bin/sh
# based on this version http://www.timokorthals.de/?p=334
_ipt=/sbin/iptables # Location of iptables (might be correct)
_input=badips.db # Name of database (will be downloaded with this name)
_pub_if=eth0 # Device which is connected to the internet (ex. $ifconfig for that)
_droplist=droplist # Name of chain in iptables (Only change this if you have already a chain with this name)
_level=3 # Blog level: not so bad/false report (0) over confirmed bad (3) to quite aggressive (5) (see www.badips.com for that)
_service=any # Logged service (see www.badips.com for that)
# Get the bad IPs
wget -qO- http://www.badips.com/get/list/${_service}/$_level > $_input || { echo "$0: Unable to download ip list."; exit 1; }
### Setup our black list ###
# First flush it
$_ipt --flush $_droplist
# Create a new chain
# Decomment the next line on the first run
# $_ipt -N $_droplist
# Filter out comments and blank lines
# store each ip in $ip
for ip in `cat $_input`
do
# Append everything to $_droplist
$_ipt -A $_droplist -i ${_pub_if} -s $ip -j LOG --log-prefix "Drop Bad IP List "
$_ipt -A $_droplist -i ${_pub_if} -s $ip -j DROP
done
# Finally, insert or append our black list
$_ipt -I INPUT -j $_droplist
$_ipt -I OUTPUT -j $_droplist
$_ipt -I FORWARD -j $_droplist
# Delete your temp file
rm $_input
exit 0
For this, I used crontab and I run the script every day on 11:30PM (just before my delayed backup).
Code: Select all
crontab -e
Code: Select all
23 30 * * * /home/<user>/myBlacklist.sh #Block BAD IPS
Code: Select all
chmod + x myBlacklist.sh
You can also run the script manually like this:
Code: Select all
cd /home/<user>/
./myBlacklist.sh
Report IP addresses to badIPs with Fail2ban
In the second part of this tutorial, I will show you how to report bd IP addresses bach to the badips.com website by using Fail2ban.
Fail2ban >= 0.8.12
The reporting is made with Fail2ban. Depending on your Fail2ban version you must use the first or second section of this chapter.If you have fail2ban in version 0.8.12.
If you have fail2ban version 0.8.12 or later.
Code: Select all
fail2ban-server --version
Code: Select all
[ssh]
enabled = true
action = iptables-multiport
badips[category=ssh]
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry= 6
Fail2ban < 0.8.12
If the version is less recent than 0.8.12, you’ll have a to create an action. This can be downloaded here: https://www.badips.com/asset/fail2ban/badips.conf.
Code: Select all
wget https://www.badips.com/asset/fail2ban/badips.conf -O /etc/fail2ban/action.d/badips.conf
Code: Select all
cd /etc/fail2ban/
vi jail.conf
Code: Select all
[DEFAULT]
...
banaction = iptables-multiport
badips
Code: Select all
service fail2ban restart
Last step – not really useful… You can create a key.
This one is usefull if you want to see your data.
Just copy / paste this and a JSON response will appear on your console.
Code: Select all
wget https://www.badips.com/get/key -qO -
Code: Select all
{
"err":"",
"suc":"new key 5f72253b673eb49fc64dd34439531b5cca05327f has been set.",
"key":"[color=#0040FF]5f72253b673eb49fc64dd34439531b5cca05327f[/color]"
}
Here we go… all your stats by category.