Join the community today
Become a Member

CSF Ipsum - Daily feed of bad IPs (How to use in CSF)

Discussion in 'Other Centmin Mod Installed software' started by zakkaz, Jun 10, 2020.

  1. zakkaz

    zakkaz New Member

    7
    0
    1
    May 24, 2019
    Ratings:
    +0
    Local Time:
    8:25 AM
    Hi guys,
    I wanted to use an updated list of bad IPs but it is using iptables.

    I know Centminmod use a CSF, so iptables can block access and more things if enabled.
    How can I convert the script of iptables to csf?

    Github Ipsum: stamparm/ipsum

    Original script:
    Code:
    apt-get -qq install iptables ipset
    ipset -q flush ipsum
    ipset -q create ipsum hash:net
    for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add ipsum $ip; done
    iptables -I INPUT -m set --match-set ipsum src -j DROP
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,415
    10,303
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,982
    Local Time:
    4:25 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    CSF command line is all you need to allow or deny IP/IP classes etc

    read
    CSF Firewall will automatically have IPSET support enabled at initial Centmin Mod install time if installer detects your linux kernel supports IPSET. So every IP allowed/denied makes use of IPSET

    So with your list of IPs you need to use a bit of bash for to filter just IPs i.e. list last 5 IPs from the ipsum.txt text file
    Code (Text):
    curl -sL https://github.com/stamparm/ipsum/raw/master/ipsum.txt | tail -5 | awk '{print $1}'
    124.244.30.253
    115.138.214.178
    182.155.16.172
    189.162.71.84
    189.78.202.251
    

    manipulate into CSF deny commands with ipsum as comment
    Code (Text):
    curl -sL https://github.com/stamparm/ipsum/raw/master/ipsum.txt | tail -5 | awk '{print $1}' | while read i; do echo "csf -d $i ipsum"; done
    csf -d 124.244.30.253 ipsum
    csf -d 115.138.214.178 ipsum
    csf -d 182.155.16.172 ipsum
    csf -d 189.162.71.84 ipsum
    csf -d 189.78.202.251 ipsum
    

    you can script it all too example is how i wrote tools/csfcf.sh to run via cronjob to grab Cloudflare's known IPs and whitelist them in CSF Firewall + create a cloudflare.conf include file to include in Nginx vhosts to set real IP for Nginx detection behind Cloudflare - see code at centminmod/centminmod
     
  3. eva2000

    eva2000 Administrator Staff Member

    45,415
    10,303
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,982
    Local Time:
    4:25 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    or another way is using iptables within a custom created file you make at /etc/csf/csfpre.sh and give it executable permissions i.e. 0700 or 0755

    Then place in /etc/csf/csfpre.sh the following
    Code (Text):
    #!/bin/bash
    ipset -q flush ipsum
    ipset -q create ipsum hash:net
    for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add ipsum $ip; done
    iptables -I INPUT -m set --match-set ipsum src -j DROP
    

    then restart CSF Firewall
    Code (Text):
    csf -ra

    the custom csfpre.sh file tells CSF Firewall to execute this script and iptables rules first before loading CSF Firewall's rules. CSF Firewall is just a wrapper to iptables so this works too provided your CSF Firewall config has IPSET enabled and your linux kernel has IPSET support. All dedicated servers and KVM VPS would have IPSET usually with default CentOS 7 Kernels.
     
  4. zakkaz

    zakkaz New Member

    7
    0
    1
    May 24, 2019
    Ratings:
    +0
    Local Time:
    8:25 AM
    Thank you, do you advise to remove old daily ipsum everynight or.. add the new IPs?
     
  5. eva2000

    eva2000 Administrator Staff Member

    45,415
    10,303
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,982
    Local Time:
    4:25 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    if you script it you can i.e. if you have a common comment name added via CSF command line, that would end up in /etc/csf/csf.allow and /etc/csf/csf.deny list so you can filter by comment name and then remove them before adding new set

    example if i deny these 2 ips
    Code (Text):
    csf -d 189.162.71.84 ipsum
    csf -d 189.78.202.251 ipsum
    

    the returned output would be for 189.162.71.84
    Code (Text):
    csf -d 189.162.71.84 ipsum
    Adding 189.162.71.84 to csf.deny and iptables DROP...
    csf: IPSET adding [189.162.71.84] to set [chain_DENY]
    

    If IPSET is supported it will be added into default IPSET named chain_DENY
    Code (Text):
    ipset list -name
    chain_DENY
    chain_6_DENY
    chain_ALLOWDYN
    chain_6_ALLOWDYN
    chain_ALLOW
    chain_6_ALLOW
    

    Code (Text):
    ipset list chain_DENY | grep '189.162.71.84'
    189.162.71.84
    

    last 2 entries in /etc/csf/csf.deny would be
    Code (Text):
    tail -2 /etc/csf/csf.deny
    189.162.71.84 # ipsum - Tue Jun  9 22:10:48 2020
    189.78.202.251 # ipsum - Tue Jun  9 22:10:52 2020
    

    so you can filter on the comment
    Code (Text):
    grep '# ipsum' /etc/csf/csf.deny
    189.162.71.84 # ipsum - Tue Jun  9 22:10:48 2020
    189.78.202.251 # ipsum - Tue Jun  9 22:10:52 2020
    

    to grab only IPs for ipsum comment
    Code (Text):
    awk '/# ipsum/ {print $1}' /etc/csf/csf.deny        
    189.162.71.84
    189.78.202.251
    

    or if you use csfpre.sh method above not needed as you do a IPSET flush to start fresh again anyway