Block suspicious IP with Linux firewall daemon

Block Brute-Force requests with Firewall Daemon from Bash Script

Firewall Daemon can help to protect against ongoing brute force attacks by detecting attempted attacks on the Linux host. To permanently protect the host from suspicious sources they can be blocked. The following bash script prevent from suspicious requests by append the IP address as argument and set it to reject using firewall-cmd.

The script was written on Debian 10 (buster), on Debian firewalld has to be installed first, as well as on Ubuntu 20. On RHEL and CentOS 7+ family and Fedora 30 or higher firewalld is default and the script can be used.

Install Firewalld on Debian

The firewalld package is available on the official Debian 10 repositories. Installation is quick as shown below commands.

Install firewalld in the terminal as root or user with sudo privileges.

If ufw is activated, the uncomplicated firewall (ufw) for managing the netfilter must be deactivated in order to make firewalld the standard firewall.

Run the firewall daemon and activate it for the system start.

Check if firewall daemon is running and availability of the service.

Load the new firewall rules and keep the status information.

Using Debian after run firewall-cmd –reload the error appears:

Error: COMMAND_FAILED: ‘/usr/sbin/ip6tables-restore -w -n’ failed: ip6tables-restore v1.8.2 (nf_tables:
line 4: RULE_REPLACE failed (no such file ordirectory): rule in chain OUTPUT

The solution is to run update-alternatives to force Debian to use iptables instead of nftables.

After switching from nftables to iptables, restart the Linux machine with reboot.

Firewalld configuring

Firewalld is a firewall-management solution that acts as a front-end for the iptables packet filter system provided by the Linux kernel. firewall-cmd is the utility used to manage the firewall configuration. The firewalld daemon manages groups of rules using entities called “zones”. Zones are like sets of rules that determine what traffic to allow based on the known trust of the networks to which the computer is connected. A zone is assigned to the network interfaces in order to determine the behavior that the firewall should allow.

A network interface assigned to the default zone public, using the firewall-cmd tool, with the command to check zones and interfaces.

If no network interface appears at interfaces (at line 6), this must still be assigned to the zone by querying the interfaces with ip or ifconfig (net-tools).

Here at the virtual Debian (buster) it is Link 2 ens33.

The interface ens33 is assigned to the default zone public.

Check the interface assigned to the zone with the output.

The interface ens33 is assigned to zone public.

Interacting Fail2ban and firewalld

Fail2ban (failure leads to ban) is an IPS framework developed in Python to prevent attacks. It runs on all Unixoid OS that is based on a managable packet filter system or a firewall such as iptables or firewalld on Linux.

line 13 in the script (above), if available and executed, the addresses banned by fail2ban are restored to their previously active state after firewalld has been processed. If fail2ban is not applied, lines 12-14 can be deleted.

Run the script

Run the script with append die source IP to reject suspicious requests through the firewall.

The locked IP address can be removed with the following command line in the bash shell.

Activate the rule entered through the firewall daemon.

Help to use firewall-cmd

Output of the changed and activated rule of the Public zone.

Check current firewall rules with the following commands.

Use the command firewall-cmd and iptables to list current rules.

Output standard zone for connections and interfaces.

Set a zone as the default zone.

Output currently active zones.

Output predefined zones.

Get help and man page of firewall-cmd.

Leave a Reply

Your email address will not be published. Required fields are marked *