Koozali.org: home of the SME Server
Obsolete Releases => SME 9.x Contribs => Topic started by: ElFroggio on June 02, 2017, 03:57:52 AM
-
SME 9.2
Is it possible to tie geoip with iptables/fail2ban. I have seen:
https://forums.contribs.org/index.php/topic,50465.msg253952.html#msg253952 (https://forums.contribs.org/index.php/topic,50465.msg253952.html#msg253952)
1. It's in French and my French is very rusty. (I can speak but not technical)
2. I don't understand the "-m geoip --src-cc " where does it come from?
I've been under attack from china, korea and vietnam. It has slowed down, but I'd like to deal with it.
Any suggestion?
Thanks
Syv
-
I have started looking at geoip blocking with fail2ban, unfortunately the kernel and the way iptable is compiled under centos /red hat and so SME9 does not allow this
an alternative would have been to work also with /etc/hosts.deny (https://www.axllent.org/docs/view/ssh-geoip/) but again an internal command (aclexec) to allow this is not available with red hat.
a last solution would be to use xtables-addons and its kmod... I start looking at it and I stuck trying to compile it again SME9 for the moment.
so if you have the time and energy to work on compiling this, yes you could get geoip ban at iptables level....
-
so if you have the time and energy to work on compiling this, yes you could get geoip ban at iptables level....
I'm sorry, but I'm afraid that it's beyond my skills level
Thanks/Merci
Syv
-
I have compiled xtables-addons for testing here
https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-1.el6.x86_64.rpm (https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-1.el6.x86_64.rpm).
yum install must have "enablerepo=epel" option for dependencies.
Some explanations for setup here
https://www.howtoforge.com/xtables-addons-on-centos-6-and-iptables-geoip-filtering (https://www.howtoforge.com/xtables-addons-on-centos-6-and-iptables-geoip-filtering)
i am working on a contrib now. Any suggestion would be appreciate.
-
i am working on a contrib now. Any suggestion would be appreciate.
It depends where you are stuck :-)
Let us know and we can try and help.
B. Rgds
John
-
mab974,
thank you for the good work!
Suggestion for a contribs, you could first work on templates and db entry for most useful settings
in second time you could work on a panel to help to change those settings.
I see you have a few contribs there : https://repos.misouk.com/Sme_Server/6/SRPMS
would you like to have access to our buildsystem to import them ?
As a start I see you were able to update geneweb that I was not able to do in a reasonable time before giving up.
Having them in the buildsys would help other to get access to this great work and also help others to help you. Including translation of panels or fixing a small issue.
-
Hi,
It's a particuliar contrib wich depends on kernel version.
new kernel --> new packet
https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-2.el6.x86_64.rpm (https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-2.el6.x86_64.rpm)
Suggestion for a contribs, you could first work on templates and db entry for most useful settings
in second time you could work on a panel to help to change those settings.
i am working on templates and db entry for xt_geoip, for the other addons i don't know if there's NFR for them.
For the second point, i thought panel use was no more considered as a good solution for the future.
I see you have a few contribs there : https://repos.misouk.com/Sme_Server/6/SRPMS
would you like to have access to our buildsystem to import them ?
why not ? for some of them which may be interesting. But for sure i need some help for the beginning, in a better place than here too.
-
can't access your repo, err NET::ERR_CERT_REVOKED
-
can't access your repo, err NET::ERR_CERT_REVOKED
Can get it on my phone from here ?
-
chrome 61 on linux mint says that the certificate was revoked..
no problem using firefox.....
-
Problem with chrome
Chrome 61 distrusts ALL certificates signed by StartSSL and WoSign
from https://webmasters.stackexchange.com/questions/103405/startssl-certificate-gives-sec-error-revoked-certificate-in-firefox-and-err-cert (https://webmasters.stackexchange.com/questions/103405/startssl-certificate-gives-sec-error-revoked-certificate-in-firefox-and-err-cert)
mine is an old one but evil.... evil.... :-)
-
Hi,
It's a particuliar contrib wich depends on kernel version.
new kernel --> new packet
https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-2.el6.x86_64.rpm (https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-2.el6.x86_64.rpm)
ideally it would be to compile the rpm in two : one main and one kmod with soft dependency, so you only need to recompile it on major change of the kernel.
i am working on templates and db entry for xt_geoip, for the other addons i don't know if there's NFR for them.
great
For the second point, i thought panel use was no more considered as a good solution for the future.
no their still are needed, just that for SME10 we aim to make the manager better.
why not ? for some of them which may be interesting. But for sure i need some help for the beginning, in a better place than here too.
some exchange can be made on IRC, hangouts or another IM.
-
Hi,
A contrib named xt_geoip is available for testing at
https://repos.misouk.com/Sme_Server/6/noarch/smeserver-xt_geoip-1.0.1-01.el6.noarch.rpm (https://repos.misouk.com/Sme_Server/6/noarch/smeserver-xt_geoip-1.0.1-01.el6.noarch.rpm)
xt_geoip for Xtables-addons module geoip specifically which permits to filter traffic (on IP) based on the country it comes from.
This contrib needs xtables-addons of course, avalaible at
https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-2.el6.x86_64.rpm (https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-2.el6.x86_64.rpm)
as seen above.
xt_geoip appears in the server manager in the Administration part. English et french versions are available for now.
Its panel permits to
- enable/disable filtering
- enter country codes
- force base update
The GeoIP base is periodically updated.
Installation:
yum install xtables-addons --enablerepo=epel (locally for now)
yum install smeserver-xt_geoip (locally for now)
then
signal-event post-upgrade; signal-event reboot
Updating the xt_geoip database is performed by issuing the following command:
signal-event xt_geoip-update
-
For letsencrypt port 80 and 443 have to be open. There's no webcontent on my servers. What I see in the logs are a lot of attempts from IP's searching for wordpress, admin. passwords, curl, wget, and so on.
I'm thinking about using
Its panel permits to
enable/disable filtering
enter country codes
force base update
this, to ban "dirty" IP's. Does this make sense, and will it work?
Regards,
stefan
-
It works in the simplest way possible (for now).
Xt_geoip blocks ALL IP connections based on the country of their origin.
If you think that troublesome connections come mainly from some countries, this can be interesting, keeping in mind that the "good IPs" of these countries are also blocked.
So you have to verify that any IP that must connect to your server is not in a banned country.
For sure, this is not a precise tool but for the filtering rules, adaptations are possible at the template level.
I modified a little the contrib. In particular I separated xtables-addons in two rpms as suggested Jean-Philippe.
Here are the last versions that run on two of my servers for a few weeks :
- https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-4.el6.sme.x86_64.rpm (https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-1.47.1-4.el6.sme.x86_64.rpm)
- https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-kmod-1.47.1-1.el6.sme.x86_64.rpm (https://repos.misouk.com/Sme_Server/6/x86_64/xtables-addons-kmod-1.47.1-1.el6.sme.x86_64.rpm)
- https://repos.misouk.com/Sme_Server/6/noarch/smeserver-xt_geoip-1.0.1-01.el6.sme.noarch.rpm (https://repos.misouk.com/Sme_Server/6/noarch/smeserver-xt_geoip-1.0.1-01.el6.sme.noarch.rpm)
regards,
Michel