I need to see if there are any quick - and fast ways to “protect” my network, at my router level.
What i do protect http/https login and then - apps hosted on my network, i do expect no traffic from countries like CN (China) - so i use geoip and block - all traffic from that.
I don’t need no fancy rules for SMTP etc.
I do even try to go more - like - always BLOCK and then - allow some IP’s (i do have a white list).
Besides of geoip - there are some (many!) lists of ips / cidrs - being updated every 24h or even 6h with “community” access so - free as a free speach.
but - issue is this is someone using such a “protection” - it reads - well - i don’t have money for umbrella - i do use newspaper when it rains, it does not pour at the moment but - i don’t like some IPs just poking around at my net.
i don’t need any greylisting etc - simply i do know where the 95% of my buissnes traffic will come from (from my home country) - so i whitelist it.
but issue is this - with the minimum possible workload on route CPU - found a threads, some guys make a named rule (ipset underneath) - and run cron - then feed the IP into the set.
What do you think about it ? maybe you do use some add-on - even a paid one (ie someone has developed it, i’m glad to pay some beer+pizza money).
anywhay - what do you think, is this kind of protection - still in use ?
I’m not sure what IPSEC has to do with your long and rambling post.
But I think after reading it a few times you’re asking about if you can load filter lists into VyOS and yes, in the latest rolling releases you can.
i meant - ipset (nftables replacement for iptables’s ipset?) (sorry, late night here and very creazy spell check)
i do need an inexpensive protection against malicious attacks from various IPs at the router level - I’ve been looking at different options - e.g., BGP feeds with malicious addresses but they’re quite expensive, I’m looking for something that won’t kill my budget, as a supplement to blocking countries by GeoIP"
Maybe → make a custom script - well i could create scripts that periodically download free blocklists and update your router’s firewall rules (but - the work is to find good lists ! and check them periodically as they could simply die / go into no maintainer mode !)
It requires some technical knowledge but at the end - it’s very cost-effective.
#!/bin/bash
DROP_FILE="/config/scripts/drop_v4.json"
GROUP_NAME="SPAMHAUS_DROP"
sudo /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin
sudo /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete firewall group network-group $GROUP_NAME
sudo /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit
sudo /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper end
# Create new address group
echo "Creating new Spamhaus DROP address group..."
sudo /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin
sudo /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set firewall group network-group $GROUP_NAME description "Spamhaus DROP List"
# Parse JSON file and add addresses to the group
echo "Processing Spamhaus DROP list..."
NETWORKS=$(cat "$DROP_FILE" | grep -o '"ip":"[^"]*"' | cut -d'"' -f4)
for NETWORK in $NETWORKS; do
sudo /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set firewall group network-group $GROUP_NAME network "$NETWORK"
done
# Commit the configuration
echo "Committing configuration..."
sudo /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit
sudo /opt/vyatta/sbin/vyatta-cfg-cmd-wrapper end
of course sth like this:
configure
set system task-scheduler task update-spamhaus-drop executable path '/config/scripts/update_spamhaus_drop.sh'
set system task-scheduler task update-spamhaus-drop interval '12h'
set firewall group network-group SPAMHAUS_DROP description 'Spamhaus DROP List'
set firewall name WAN_IN rule 10 action 'drop'
set firewall name WAN_IN rule 10 source group network-group 'SPAMHAUS_DROP'
set firewall name WAN_IN rule 10 description 'Block Spamhaus DROP list'
set interfaces ethernet eth0 firewall in name 'WAN_IN'
commit
save
exit
downloader:
#!/bin/bash
DROP_FILE="/config/scripts/drop_v4.json"
DROP_URL="https://www.spamhaus.org/drop/drop_v4.json"
echo "Downloading Spamhaus DROP list..."
curl -s -o "$DROP_FILE" "$DROP_URL"
if [ $? -ne 0 ]; then
echo "Error downloading Spamhaus DROP list."
exit 1
fi
echo "Updating firewall rules..."
/config/scripts/update_spamhaus_drop.sh
echo "Completed Spamhaus DROP list update."
I use a similar script that downloads the Spamhaus blocklist every 3 days and applies it.
Did you look at what I linked? That is basically that same thing but now built in.
As for lists, there’s the Firehol website which has lots of good ones. Finding the right balance is hard though.
If you’re exposing web services you need to protect, the newish Anubis project seems to be very good.