How to view blacklist ip ?

How to view blacklist ip ?

[J. Bakshi]

Hello,

I am using  blacklist like

``````````
iptables -A INPUT -m recent --name blacklist --rcheck --seconds
$BLACKLIST_INTERVAL -j DROP
```````````

and it is working really well. But is there any way to manage the
blacklisted ip ? Manage means

1> view the ips which are blacklisted
2> manually remove an IP from blacklist
3> manually insert an IP as blacklist

Re: How to view blacklist ip ?

[Anatoly Muliarski]

See ipset.netfilter.org

-- 
Best regards
Anatoly Muliarski

Re: How to view blacklist ip ?

[J. Bakshi]

Anatoly Muliarski wrote:
> See ipset.netfilter.org
>
>   

Thanks, ipset needs kernel compilation to support it ; along with
iptables compilation too.  I am working on a remote  production suse box
so I  can't  have that much liberty. Any workarounds within the iptables
itself ?

thanks for your time.

Re: How to view blacklist ip ?

[Pascal Hambourg]

Hello,

J. Bakshi a écrit :
> 
> iptables -A INPUT -m recent --name blacklist --rcheck --seconds
> $BLACKLIST_INTERVAL -j DROP
> 
> and it is working really well. But is there any way to manage the
> blacklisted ip ? Manage means

man iptables

> 1> view the ips which are blacklisted

Read /proc/net/ipt_recent/<name>.

> 2> manually remove an IP from blacklist

Write "-a.b.c.d" into /proc/net/ipt_recent/<name> where a.b.c.d is the
address to remove. You can also write "clear" to flush the list.

> 3> manually insert an IP as blacklist

Write "+a.b.c.d" or "a.b.c.d" into /proc/net/ipt_recent/<name> where
a.b.c.d is the address to add or update.

Warning : ipt_recent may have been renamed xt_recent in recent kernels.

Re: How to view blacklist ip ?

[J. Bakshi]

Pascal Hambourg wrote:
> Hello,
>
> J. Bakshi a écrit :
>   
>> iptables -A INPUT -m recent --name blacklist --rcheck --seconds
>> $BLACKLIST_INTERVAL -j DROP
>>
>> and it is working really well. But is there any way to manage the
>> blacklisted ip ? Manage means
>>     
>
> man iptables
>
>   
>> 1> view the ips which are blacklisted
>>     
>
> Read /proc/net/ipt_recent/<name>.
>
>   

Great !!!. Thanks a lot. Now I can write a shell script to manage the IPs.



>> 2> manually remove an IP from blacklist
>>     
>
> Write "-a.b.c.d" into /proc/net/ipt_recent/<name> where a.b.c.d is the
> address to remove. You can also write "clear" to flush the list.
>
>   
>> 3> manually insert an IP as blacklist
>>     
>
> Write "+a.b.c.d" or "a.b.c.d" into /proc/net/ipt_recent/<name> where
> a.b.c.d is the address to add or update.
>
> Warning : ipt_recent may have been renamed xt_recent in recent kernels.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   

Re: How to view blacklist ip ?

[J. Bakshi]

J. Bakshi wrote:
> Pascal Hambourg wrote:
>   
>> Hello,
>>
>> J. Bakshi a écrit :
>>   
>>     
>>> iptables -A INPUT -m recent --name blacklist --rcheck --seconds
>>> $BLACKLIST_INTERVAL -j DROP
>>>
>>> and it is working really well. But is there any way to manage the
>>> blacklisted ip ? Manage means
>>>     
>>>       
>> man iptables
>>
>>   
>>     
>>> 1> view the ips which are blacklisted
>>>     
>>>       
>> Read /proc/net/ipt_recent/<name>.
>>
>>   
>>     
>
> Great !!!. Thanks a lot. Now I can write a shell script to manage the IPs.
>
>   

Though the content of the file consists of much more.  

``````````
# cat /proc/net/ipt_recent/blacklist

src=183.131.207.0 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
src=240.168.95.31 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
src=254.41.0.0 ttl: 0 last_seen: 4298215698 oldest_pkt: 1 4298215698
src=255.255.211.0 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
src=135.0.0.0 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
src=79.0.0.0 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
src=53.0.0.0 ttl: 0 last_seen: 4298215698 oldest_pkt: 1 4298215698
src=31.190.99.0 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
src=165.0.0.0 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
src=236.13.207.0 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
src=135.232.168.45 ttl: 0 last_seen: 4298215698 oldest_pkt: 1 4298215698
src=255.255.255.211 ttl: 0 last_seen: 4298215698 oldest_pkt: 2 4298212575
`````````````````````````````````

And If I try to remove a line it reports

```````````````
WARNING: The file has been changed since reading it!!!
Do you really want to write to it (y/n)?
`````````````````

A yes puts me again into the file. and it is recursive.


>
>   
>>> 2> manually remove an IP from blacklist
>>>     
>>>       
>> Write "-a.b.c.d" into /proc/net/ipt_recent/<name> where a.b.c.d is the
>> address to remove. You can also write "clear" to flush the list.
>>
>>   
>>     
>>> 3> manually insert an IP as blacklist
>>>     
>>>       
>> Write "+a.b.c.d" or "a.b.c.d" into /proc/net/ipt_recent/<name> where
>> a.b.c.d is the address to add or update.
>>
>> Warning : ipt_recent may have been renamed xt_recent in recent kernels.
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>   
>>     
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   

Re: How to view blacklist ip ?

[Pascal Hambourg]

J. Bakshi a écrit :
> # cat /proc/net/ipt_recent/blacklist
> 
> src=183.131.207.0 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
> src=240.168.95.31 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
[...]
> And If I try to remove a line it reports
> 
> ```````````````
> WARNING: The file has been changed since reading it!!!
> Do you really want to write to it (y/n)?
> `````````````````
> 
> A yes puts me again into the file. and it is recursive.

You are not supposed to open this pseudo-file and remove lines with a
text editor, you are supposed to *write* commands (e.g. with echo) into
it as indicated in the manpage. This is not a real file but an interface
to the kernel.

Re: How to view blacklist ip ?

[J. Bakshi]

Pascal Hambourg wrote:
> J. Bakshi a écrit :
>   
>> # cat /proc/net/ipt_recent/blacklist
>>
>> src=183.131.207.0 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
>> src=240.168.95.31 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
>>     
> [...]
>   
>> And If I try to remove a line it reports
>>
>> ```````````````
>> WARNING: The file has been changed since reading it!!!
>> Do you really want to write to it (y/n)?
>> `````````````````
>>
>> A yes puts me again into the file. and it is recursive.
>>     
>
> You are not supposed to open this pseudo-file and remove lines with a
> text editor, you are supposed to *write* commands (e.g. with echo) into
> it as indicated in the manpage. This is not a real file but an interface
> to the kernel.
>   

Hello,

Yes, I have found the specific section in the man page and it is
successully do the job as described. Now I can modify my script
accordingly to do the job.
Thanks a lot for he right direction.
wish you a nice time.


> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   

Re: How to view blacklist ip ?

[J. Bakshi]

J. Bakshi wrote:
> Pascal Hambourg wrote:
>   
>> J. Bakshi a écrit :
>>   
>>     
>>> # cat /proc/net/ipt_recent/blacklist
>>>
>>> src=183.131.207.0 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
>>> src=240.168.95.31 ttl: 0 last_seen: 4298214902 oldest_pkt: 1 4298214902
>>>     
>>>       
>> [...]
>>   
>>     
>>> And If I try to remove a line it reports
>>>
>>> ```````````````
>>> WARNING: The file has been changed since reading it!!!
>>> Do you really want to write to it (y/n)?
>>> `````````````````
>>>
>>> A yes puts me again into the file. and it is recursive.
>>>     
>>>       
>> You are not supposed to open this pseudo-file and remove lines with a
>> text editor, you are supposed to *write* commands (e.g. with echo) into
>> it as indicated in the manpage. This is not a real file but an interface
>> to the kernel.
>>   
>>     
>
> Hello,
>
> Yes, I have found the specific section in the man page and it is
> successully do the job as described. Now I can modify my script
> accordingly to do the job.
> Thanks a lot for he right direction.
> wish you a nice time.
>
>   

Hello Pascal,

I don't know if I should create a new thread or continue with this one.
But this is a new issue though a continuation of ipt_recent and blacklist.
My script to show the blacklisted ip is running well. During my
experiment with blacklist I have found that blacklisted ips are still
there at

/proc/net/ipt_recent/blacklist

Even after the blacklist interval the client can access the server
successfully; the server still shows the client ip as blacklisted.
Definately the ip can be removed or "clear" as described in the man page
but storing the ip permanently at  /proc/net/ipt_recent/blacklist  is 
very confusing.  How can you then check if the ip is still blacklisted
or able to communicate with the server in real-life  ?

Re: How to view blacklist ip ?

[Pascal Hambourg]

J. Bakshi a écrit :
> 
> Even after the blacklist interval the client can access the server
> successfully; the server still shows the client ip as blacklisted.
> Definately the ip can be removed or "clear" as described in the man page
> but storing the ip permanently at  /proc/net/ipt_recent/blacklist  is 
> very confusing.  How can you then check if the ip is still blacklisted
> or able to communicate with the server in real-life  ?

The list just stores source addresses and timestamps (the big numbers,
measured in jiffies) of recently seen packets in a FIFO manner. Whether
a packet will match the rule with 'recent' depends on its options
--seconds and/or --hitcount. So it is up to you to parse the timestamps
associated to an address and decide whether this address is blacklisted
or not.

Re: How to view blacklist ip ?

[J. Bakshi]

Pascal Hambourg wrote:
> J. Bakshi a écrit :
>   
>> Even after the blacklist interval the client can access the server
>> successfully; the server still shows the client ip as blacklisted.
>> Definately the ip can be removed or "clear" as described in the man page
>> but storing the ip permanently at  /proc/net/ipt_recent/blacklist  is 
>> very confusing.  How can you then check if the ip is still blacklisted
>> or able to communicate with the server in real-life  ?
>>     
>
> The list just stores source addresses and timestamps (the big numbers,
> measured in jiffies) of recently seen packets in a FIFO manner. Whether
> a packet will match the rule with 'recent' depends on its options
> --seconds and/or --hitcount. So it is up to you to parse the timestamps
> associated to an address and decide whether this address is blacklisted
> or not.
>   

Now understand the technique.  I have 2 question here

1> how the time stamp is calculated here ? It might be possible to
generate it through the date command.
2> How long these entries are kept at  /proc/net/ipt_recent/ ? any way
to modify that interval ?

Thanks

Re: How to view blacklist ip ?

[Pascal Hambourg]

J. Bakshi a écrit :
> 
> 1> how the time stamp is calculated here ? It might be possible to
> generate it through the date command.

I don't know.

> 2> How long these entries are kept at  /proc/net/ipt_recent/ ?

As long as newer data don't need the space. The list works as a FIFO.

> any way to modify that interval ?

You can only set the number of addresses and packets per address with
the module parameters ip_list_tot and ip_pkt_list_tot described in the
iptables manpage.

Re: How to view blacklist ip ?

[J. Bakshi]

Pascal Hambourg wrote:
> The list just stores source addresses and timestamps (the big numbers,
> measured in jiffies) of recently seen packets in a FIFO manner. 

Could anyone suggest me how to get time in jiffies ? Tried with "date
+%s" but it is not the jiffie value. Any clue please ?

Re: How to view blacklist ip ?

[Anatoly Muliarski]

2009/9/7 J. Bakshi <joydeep@infoservices.in>:
> Could anyone suggest me how to get time in jiffies ? Tried with "date
> +%s" but it is not the jiffie value. Any clue please ?

You may use the first field in /proc/uptime - that gives you uptime in seconds.

IMHO, the recent module should be used for filtering purpose only not
for managing black lists.
The right way is ipset :)
And it does not require you to recompile your kernel - you may install
it as a module.
And yes, to use it you should recompile iptables if it does not
support it by default.

-- 
Best regards
Anatoly Muliarski

Re: How to view blacklist ip ?

[J. Bakshi]

Anatoly Muliarski wrote:
> 2009/9/7 J. Bakshi <joydeep@infoservices.in>:
>   
>> Could anyone suggest me how to get time in jiffies ? Tried with "date
>> +%s" but it is not the jiffie value. Any clue please ?
>>     
>
> You may use the first field in /proc/uptime - that gives you uptime in seconds.
>
> IMHO, the recent module should be used for filtering purpose only not
> for managing black lists.
> The right way is ipset :)
> And it does not require you to recompile your kernel - you may install
> it as a module.
> And yes, to use it you should recompile iptables if it does not
> support it by default.
>
>   

Hello Anatoly,

Thanks for your enlightenment.  I have to check if iptables supports
ipset by default in suse and debian. BTW any good tutorial to start with
ipset ?

regards

Re: How to view blacklist ip ?

[J. Bakshi]

J. Bakshi wrote:
> Anatoly Muliarski wrote:
>   
>> 2009/9/7 J. Bakshi <joydeep@infoservices.in>:
>>   
>>     
>>> Could anyone suggest me how to get time in jiffies ? Tried with "date
>>> +%s" but it is not the jiffie value. Any clue please ?
>>>     
>>>       
>> You may use the first field in /proc/uptime - that gives you uptime in seconds.
>>
>> IMHO, the recent module should be used for filtering purpose only not
>> for managing black lists.
>> The right way is ipset :)
>> And it does not require you to recompile your kernel - you may install
>> it as a module.
>> And yes, to use it you should recompile iptables if it does not
>> support it by default.
>>
>>   
>>     
>
> Hello Anatoly,
>
> Thanks for your enlightenment.  I have to check if iptables supports
> ipset by default in suse and debian. BTW any good tutorial to start with
> ipset ?
>
> regards
>   

Hello,

find iptree of ipset.  seems it can do the job.   iptree can store ip
addresses with a timeout value.  So the next thing is to migrate the
blacklisted ip from ipt_recent module to the iptree of ipset. I hope I
am on te right track. need some guidance from you list.

regards.

Re: How to view blacklist ip ?

[Anatoly Muliarski]

An example is quite simple:

# Create iptree set to lock bad guys for 5 minutes
ipset -N BAD_GUYS iptree --timeout 300
# to add a bad guy( classified by source ip ) into the set
iptables -A SOMEWHERE <your_conditions> -j SET --add-set BAD_GUYS src
# to manually delete a bad guy( classified by source ip ) from the set
iptables -A SOMEWHERE <your_conditions> -j SET --del-set BAD_GUYS src
# to view the list content
ipset -L BAD_GUYS
# to check ip in the list
ipset -T BAD_GUYS <ip>
OR
iptables -A SOMEWHERE -m set --set BAD_GUYS src

If you do not need a timeout you may use iphash set type or ipmap for
/16 network.

-- 
Best regards
Anatoly Muliarski