Create IP nullroute blacklist from text file

Question

I've seen various guides out there for how to nullroute a single IP address, and I've done that before. However, I'm not sure how to nullroute a group of IP addresses. Going through each one individually would be too tedious.

If I have a text file with an IP address on each line, how would I nullroute all addresses in that file? Is there a command for route or iptables that I can use? I'm running a Debian VPS.

Also, I read somewhere that this method may not be the best way to ban a group of IPs. If there's a better way to accomplish this, please let me know. I've been having spam attacks on my server.

search this site for ipset – Zoredache Jul 06 '14 at 19:16 — Zoredache, Jul 06 '14 at 19:16

score 1 · Answer 1 · answered Jul 06 '14 at 21:04

Is there a reason you want to null route the hosts vs. just blocking them with IP tables? Either way both IPtables rules and static routes can be managed via set config files in ubuntu. You could write a script to parse a text file and then modify the route or iptables config files, but that seems circular. It would essentially be creating a config file to manage another config file. If you need to do this on multiple servers you could sync the config files between them or use a configuration management system such as puppet.

Thank you for the answer! I'm okay with doing this through iptables. Is there a good way to do this? Maybe through a frontend? — Joey Miller, Jul 06 '14 at 22:24

score 0 · Answer 2 · answered Jul 06 '14 at 21:17

May be you want to have a simple bash script or your prefered shell script.

#!/bin/bash

shit="/tmp/null_ips"
ips=$(grep -Ev "^#" $shit)
for ip in $ips
  do
   ip route add blackhole $ip
done

further: Check if you already blocked those ip..

ip route show

score 0 · Answer 3 · answered Jul 08 '14 at 13:50

IPtables is pretty easy. First do iptables --list to get a list of your chains and rules. The default is pretty simple. If the below doesn't work or you don't see an INPUT rule, post the output of that command with the IP's removed for security.

The following adds a rule to log traffic from a server and then drop it and saves your chains so that they are restored on boot:

iptables -I INPUT  --source 1.2.3.4/32 -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -I INPUT --source 1.2.3.4/32 -j DROP
iptables-save

if you have a list of ip's you could do something like this in bash:

    #!/bin/bash
    while read -r ip
    do
      iptables -I INPUT  --source $ip/32 -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
      iptables -I INPUT --source $ip/32 -j DROP
    done < $1
    iptables-save

./block.sh file-with-bad-ip's

On a side note, the command will also take hostnames, but that's not advisable for performance reasons.

Thank you for the answer! Would a static list be the best way to go? — Joey Miller, Jul 08 '14 at 16:37
I think iptables is the better way. This is the intended use of iptables. It allows you to filter by port and to log dropped packets among other features. I think 'tike' just posted a null route solution because you requested one. — keegan2149, Jul 09 '14 at 21:39

score 0 · Answer 4 · answered Jul 08 '14 at 17:15

0

Doing this manually is going to be a nightmare and definitely a case of whack-a-mole. The real question is: what kind of spam attacks?

In nearly all cases these things are widespread and common enough that it can be mitigated in at least half of cases through using a public blacklist or tweaking some settings.

If it's:

comment spam, see if your blog/site software can use Akismet or similar - I seem to recall there are IP reputation-based filter plugins for a number of things too.
forum spam, enable some captchas and turn on email-validation-before-post. There may be an antispam module for your forum too.
email spam, use RBLs to drop 60-85% (in our experience) of spam (look into the barracudacentral one especially), install spamassassin etc, or outsource your spam filtering to a company for not much per year and save yourself the time and headache.

answered Jul 08 '14 at 17:15

Phil

1,222
1
7
15

Thank you for the answer, Phil! I've been using stopforumspam's database and that's helped a lot of the forum spam, but is there a good way to protect against DDoS attacks like this? – Joey Miller Jul 09 '14 at 17:58
Is it actually a concerted attack to disrupt the operation of the forum, or is it just "regular" forum spam from lots of different IPs? – Phil Jul 09 '14 at 23:36
Well, I actually run a webserver and IRC network on a single server, so having a unified way to ban the proxies is what I'm looking for. – Joey Miller Jul 11 '14 at 16:10
You're still going to need something automated to catch the offenders in the first place if they're not already coming from "known" proxies/open relays. Assuming you're running a compatible IRCD and know enough to compile and run it, how about S from QuakeNet's newserv to monitor the most commonly spammed channels? – Phil Jul 13 '14 at 22:43
I guess what I'm looking for, then, is just some sort of blacklist software (either for the ircd or the server itself) that can read from a text file and check against it. – Joey Miller Jul 16 '14 at 04:25
Something like CSF http://configserver.com/cp/csf.html can work with a black and whitelist as well as do bruteforce detection/banning with the right config. It can be made to work on Debian just fine. – Phil Jul 16 '14 at 10:21

Create IP nullroute blacklist from text file

4 Answers4