Only a couple of days left in December, and I previously said I would both upload the project to GitHub and post it for Devember2021, so here it is.
Brutality Bonus (updated)
Brutal? How brutal? Well of 3882 haxor urls served to indiviuals @ 1k/s, these over 100Mb:
101244928 = 28 hours
102637568
112189768
112914432
118325248
123443296
129685528
133234272
135237632
136433664
136470528
136470528
159956992
160206848
178102272
188473344
195564912
209518592
299053056 = 83 Hours
What is it? SS:FragWhare
SSFW is a super simple firewall (for search purposes), Whare (farry) is Maori for House, so FragHaus. The brutality of SSFW comes from the setting of how many IPv4 occurances it will scan for in sshd
log entries and webserver logs, combined with a haxor list of known web urls that try to commandeer your device, appliance or VM, and an (optional) “here have this 4.5Gb file at 1K/s for your efforts” brutality bonus.
Because I have been testing this on my Linode sevrer (signed up via the link in the news videos) for just over 6 months now, I have a pretty solid IPv4 block list, and known urls capture list, which I am also making available as part of this project (a Devember Project Present if you like).
It comes with some simple php
“viewer” scripts that give you an idea and overview of whats going on, and simplifies IPv4 verification queries, with the filesystem being used to supply the extracted information (so they too can be web accessible if desired), including the total blocked IPv4 addresses along with how many were blocked in the last hour and last 24 hours (all of which is easier, quicker and simpler to do via the filesystem).
SSFW is meant for systems where the bloat of regular alternative firewall systems is otherwise not wanted, nor warrented. To that end, there is also a standalone version of the sshd
(gerka) service script, if you dont need webserver protection.
SSFW is designed to be managed from within the webserver tree, as the webserver user, but does NOT use or assign sudo
privileges.
The Plan
For #devember2021 my plan is to write an installer, which means I can finally upload the code, and obviscate any personal hardcoded names and locations, which would make it easy to detect and abuse if they were not randomised or unique at install time.
I figure I can do this in 4-ish days if I try really hard (maybe). The extra bits that I will add if there is time (or after the deadline) are the extended documentation and notes. In the meantime, all the scripts are documented in the code, and all bar one have full commandline help. Again they have all been thoroughly tested for more than nearly 7 months now.
NOTE: the webserver testing and scripts have only been done with Nginx so far, others to come as I only have one server atm. The nginx
scripts can easily be adapted if others want to use them for other webservers. This is the other reason for supplying a “capture list”, which can be easily manipulated into the required format.
The Extras
I will be adding this text to the project, but an upfront notice is definitely require if you are NOT using this firewall system on a Linode server instance.
- the blocked IPv4 ranges include ALL DigitalOcean ranges bar one, and the new Microsoft Azure cloud ranges as they get used and abused by attackers.
- there are alot of blocked ranges and IP address that originate in the Netherlands and China, with some minor ranges from other parts of South Eastern Asia and their surroundings, and some from the Baulkins.
- if you try and fail any
sshd
connection or key exchange (kex
) that IPv4 address will be blocked by default based on the settings you use. 1 failedsshd
attempt records the IP address 2-3 times in the log output. (Linode has remote + weblish access which allows this to be fixed if it causes a problem).
Yes, there are individually blocked IPv4 addresses from every single DigitalOcean range allocatrion, bar one, and they have some 30-50 range allocations covering millions of IPv4 addresses. I have verified 2 attempts from assigned Linode ranges, both were deallocated before or after I verified them (kudos to Linode for not allowing abuse via their networks).
By my calculations, both this firewall system and the block lists, can be used in part or in conjunction with other “software”, like iptables
or pihole
, without conflicts.
- For those who are impatient you can get the standalone script here.
- For those interested in the project background there is a TLDR; list here.
Anyways
Wish me luck (I have regular+random power issues here).
Cheers
Paul