Frequent updates to ipset

[wiz561]

I was wondering if you think it would be a problem to be doing constant updates to an ipset table.

I would like to pipe my snort data to the router/firewall and then have it auto add it to a block list. I believe ipsets are the way to go, but I'm not sure how it would handle numerous updates throughout the day.

Second question is how you would go about doing this. Is the best way to create the ipset first, then do a '-A' to add it to the list when it's fed an IP then update iptables? Or, add the list of ip's to a text file which a script runs to delete the old table, create a new one, add the ips, then the iptables command.

Thanks!

 

[Adamm]

I was wondering if you think it would be a problem to be doing constant updates to an ipset table.

I would like to pipe my snort data to the router/firewall and then have it auto add it to a block list. I believe ipsets are the way to go, but I'm not sure how it would handle numerous updates throughout the day.

Second question is how you would go about doing this. Is the best way to create the ipset first, then do a '-A' to add it to the list when it's fed an IP then update iptables? Or, add the list of ip's to a text file which a script runs to delete the old table, create a new one, add the ips, then the iptables command.

Thanks!

From personal testing this shouldn't have any performance impact to your connection, I have thousands of IP's being banned automatically every day by the following script.

Feel free to look through it as it has different functions to do all sorts of things and you can most likely base your script on it.

http://198.23.248.102/firewall ac.sh

##############################
#####Commands / Variables#####
##############################
UNBANSINGLE="unban" # <-- Remove Single IP From Blacklist
UNBANALL="unbanall" # <-- Unbans All IPs In Blacklist
REMOVEBANS="removeall" # <-- Remove All Entries From Blacklist
SAVEIPSET="save" # <-- Save Blacklists to /opt/tmp/ipset.txt
BANSINGLE="ban" # <-- Adds Entry To Blacklist
BANCOUNTRYSINGLE="country" # <-- Adds entire country to blacklist
BANCOUNTRYLIST="bancountry" # <-- Bans specified countries in this file
WHITELIST="whitelist" # <-- Add IPs from path to Whitelist
HIDEMYASS="hideme" # <-- Switch to unrestricted DNS (tunlr.net)
FINDMYASS="findme" # <-- Switch to Bigpond DNS (Default)
BACKUPRULES="backup" # <-- Backup IPSet Rules to /opt/tmp/ipset2.txt / Checks for firmware updates
##############################

 

[wiz561]

Thanks for the script, it gives me a few ideas.

I'm running into some problems to try to figure out how to start the job. I can ship the alert to the asus box through syslog or mount a file on a share. What can I do to monitor the syslog and insert a rule?

I've tried to look at the perl modules available, and there's not that much there. I thought about inotify, but I don't think I can read the last line in.

I basically want it to watch or tail a file and do something when a new line pops up.

Thanks in advanced.

 

[Adamm]

Thanks for the script, it gives me a few ideas.

I'm running into some problems to try to figure out how to start the job. I can ship the alert to the asus box through syslog or mount a file on a share. What can I do to monitor the syslog and insert a rule?

I've tried to look at the perl modules available, and there's not that much there. I thought about inotify, but I don't think I can read the last line in.

I basically want it to watch or tail a file and do something when a new line pops up.

Thanks in advanced.

Hard to give you a general solution as I'm not exactly sure what your setting up, feel free to post what you have so far and how "in sync" you need this list to be so I can get a better idea.