yumupgrades for production use, this is the repository for you.
Active subscription is required.
A couple of days ago, I have stumbled upon a DDoS attack with a server I’ve been managing. Few dozens of IPs have been repeatedly accessing the least cacheable pages causing server strain.
If you were in a similar situation, you ask yourself what can you do?
Let’s block the bad guys with the power of CentOS 7 standard firewall – FirewallD.
Starting from CentOS/RHEL 7, a new firewall is bundled with the operating system – FirewallD.
It is actually a wrapper for the kernel’s net filtering module.
FirewallD allows you to manage the firewall rules using the concept of zones.
If you haven’t already, install it, run it and enable at boot time.
sudo yum -y install firewalld sudo systemctl start firewalld sudo systemctl enable firewalld
Investigate the bad guys
Finding the offending IP addresses is relatively easy. Say you are hosting a website powered by NGINX.
While having an unexpected load issue, trying to look up a few IP addresses from
access.log usually confirms that the traffic does not have a genuine nature.
To get back to the sane load, see if those offending IP addresses belong to the same network for bulk blocking.
I took a few sample IPs which were hitting the server like crazy and used
whois utility to find out network information.
sudo yum -y install whois whois 184.108.40.206
Doing the same for all of those IP addresses I could see what was in common for them – the provider. Each
whois output had this at the bottom:
route: 220.127.116.11/16 descr: LEASEWEB origin: AS60781 remarks: LeaseWeb mnt-by: LEASEWEB-NL-MNT created: 2014-03-11T14:28:00Z last-modified: 2015-09-30T23:00:04Z source: RIPE
The LeaseWeb, being a VPS provider, has no genuine website users coming from it. So is fine to be blocked.
In all probability, someone rented servers with them and used this for a bad cause.
Quick and simple blocking with
The new utility program for FirewallD is
fds. You can use it to easily block single IP addresses, entire networks, and even countries
fds by running:
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm sudo yum -y install fds
Block a single IP:
sudo fds block 18.104.22.168
Block a network:
sudo fds block 22.214.171.124/16
Block a country:
sudo fds block China
fds utility makes it very easy to block arbitrary networks.
You can also perform the same blocking using a lower-level
For details, read further.
Understand the drop FirewallD zone
By default, Firewalld comes with several predefined zones. I won’t go into details about them, but rather say that there is a convenient
drop zone. Its description:
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
This is just what we want. Accept no packets from those bad networks, yet still, have the ability to talk to them, e.g. in case, there is a server at LeaseWeb that hosts a useful API endpoint, etc.
FirewallD also supports ipsets for efficient storage of many IP addresses and networks. While we’re going to block only one network in our example, it’s good to learn how to leverage ipsets for the task. This will come in handy when we want to block lots and lots of IP addresses further.
Let’s get started and create our ipset which will contain all the IP networks we want to block:
firewall-cmd --permanent --new-ipset=networkblock --type=hash:net --option=maxelem=1000000 --option=family=inet --option=hashsize=4096
Next, we add our ipset to the
drop firewall zone:
firewall-cmd --permanent --zone=drop --add-source=ipset:networkblock
Apply all the changes now with:
Ban a network
In our case, we want to block the network
126.96.36.199/16. To ban it from our server, we simply add this network to our
firewall-cmd --permanent --ipset=networkblock --add-entry=188.8.131.52/16 firewall-cmd --reload
As you see, the commands are quite readable and you can easily add more bad networks for banning someone else. You will only need two lines. To add another network to ban list:
firewall-cmd --permanent --ipset=networkblock --add-entry=184.108.40.206/19 firewall-cmd --reload
firewall-cmd --permanent --ipset=networkblock --add-entry=220.127.116.11/24 firewall-cmd --reload
If you are very picky or know for sure that the offender is coming from a single IP, just use
/32 network (which corresponds to a single IP):
firewall-cmd --permanent --ipset=networkblock --add-entry=18.104.22.168/32 firewall-cmd --reload
Bulk Blocking many IP addresses
If you have a list of IP addresses to block (text file, each IP on a separate line), you can easily import that to your block list:
firewall-cmd --permanent --ipset=networkblock --add-entries-from-file=/path/to/blocklist.txt firewall-cmd --reload
We now know how to ban entire networks using FirewallD.
If you want to exclude specific IP addresses from blocking, read on how to whitelist IP addresses in FirewallD.
That’s about it for today. Happy Internet wars 🙂