The Saga of Country Blocking and TARPIT on Centos 5

Today I had plans to work on my pickup truck. It has a leaking clutch slave cylinder. It leaks so badly that now, it pees hydraulic fluid on the ground, just sitting in the driveway. I’ve got to change that thing but, today, it’s raining, and who wants to work under a vehicle, in the rain?

Not me, that’s for sure. So, I thought I’d add a little to my blog. We’ll see if anyone of consequence is interested in what I’ve got to say today.

When you run your own little network in your basement or, scattered through your house, as in my case, and that network has Internet exposed servers running your personal web site, blog, DNS servers; you know, the usual stuff you might find at an ISP, the last things you want to contend with are the hordes of script kiddies, criminal Crackers, terrorist organizations, data miners, and belligerent government entities who seem to have made careers out of gobbling-up all your bandwidth with their scans, probes, attempts to break-in to your network, DoS attacks, trashing your web sites, data miners cataloging your network, and whatever the "Crack du jour" happens to be at the moment. There is, at least, a partial solution to these problems, and it comes courtesy of the Netfilter folks. I’m talking about Iptables, Xtables-addons, and Firewall Builder.

IPtables provides the framework for building comprehensive firewalls, and Xtables-addons provides the modules for the TARPIT and GeoIP targets. Firewall Builder is the best tool available for constructing the rule sets necessary to dispose of the vast majority of Internet Crackers and their ilk.

Now, if you know what I’m talking about here, and if you’re running Centos 5, you realize that not all of the tools are available to you. Or, are they?

When I noticed the number of crack attempts coming from places like Red China, Russia, North Korea, Eastern Europe, and Muslim countries in Asia and the Middle East, I started investigating ways to keep the hordes out.

I spent hours, days, and weeks using block lists if individual IPs and networks, which eventually became so large that, it took as long as 20-minutes for my firewall to reboot. Clearly, that was the wrong approach.

So, I kept hunting.

I read about GeoIP but that seemed to be more web server oriented, and more trouble to implement that I really wanted to contend with, and it didn’t protect the network from all the other cracking attempts out there.

The search continued.

Almost by accident, I stumbled upon Xtables-addons, and to my surprise, it had a GeoIP target. Unfortunately, there didn’t seem to be any packages available for Centos 5 with the latest iptables and kernels. I did find a compatible iptables and Xtables-addons packages on the OpenFusion repo. Still, they wouldn’t work with the latest Centos 5 kernels.

What to do?

I began with creating a VirtualBox VM using the latest Centos 5. I installed the repo files for OpenFusion and RPMForge . Well, that wouldn’t work because of my kernel. So I manually downloaded and installed the following:

iptables-1.4.3.2-2.of.el5.i386.rpm

iptables-devel-1.4.3.2-2.of.el5.i386.rpm

iptables-ipv6-1.4.3.2-2.of.el5.i386.rpm

xtables-addons-1.15-1.of.el5.i386.rpm

kernel-module-xtables-addons-2.6.18-128.1.6.el5-1.15-1.of.el5.i386.rpm

kernel-2.6.18-128.1.6.el5.centos.plus.i686.rpm

kernel-devel-2.6.18-128.1.6.el5.centos.plus.i686.rpm

I had to versionlock the kernel and then I modified menu.lst to make the 2.6.18-128 the default kernel to load. Then, after I configured the geoip module, downloaded and set-up it’s databases (from MaxMind GeoIP, be sure to select the legacy database), I rebooted the VM.

To my surprise, everything still worked. I was ecstatic. The possibility of regaining control of my bandwidth and hardening my little network was becoming an achievable goal.

Now, I had to replicate that configuration on a live server. Sometimes, what works in a VM, takes a dump on a live server. Fortunately, I’ve been collecting computers since 1979 and just happened to have an old Dell 2850 with 4-ethernet interfaces that wasn’t doing anything of value, so it became the firewall test bed.

That worked too. Now, to modify one of my working servers.

I started with a web/DNS server and the new configuration worked there as well. I added a few rules to it’s IPtables, geo-blocking China, to start. Then, I waited. Soon my screen was full of all manner of scans, probes, crack-attempts, DoS attacks that were being intercepted and dropped by the GeoIP module; and this was just from Red China!

So, I replicated the configuration on the primary firewall. Wow! I watched as more and more system resources and Internet bandwidth became available, as I added more countries to the geoip firewall rules. Make each country an individual rule as there’s a limit to how many a single rule can handle.

Having succeeded with GeoIP, I tested the TARPIT target on some IPs that constantly hammer on port 22 (ssh). We will let them waste their system resources thinking a TCP (the TARPIT target only works with TCP connections. Use the DROP target for UDP,) session is open when it’s not. Nobody seeking to utilize my network resources for legitimate purposes will be knocking on ports 22 and 23. Only someone with nefarious intentions will do that. Hence, I clear my nose in their general direction and TARPIT their connections.

Well, it looks like the rain has stopped, for the moment, at least. I think I’d better go get that slave cylinder replaced on my pickup, so I’ll close this for now. If any readers find this information useful: "You’re welcome."