Guard Your Server With IPSet
Firewall is the first line of defense of any computer directly exposed to the Internet. However, iptables, talking about Linux, isn’t a user-friendly tool. It’s very low-level and can be quite cryptic at the first glance. This is why suites like CSF have been developed; they all are low-level (require much more than basic knowledge of the OS), however they provide a far more user-friendly interface and features list.
Iptables is but an interface to underlying kernel-level framework, known as netfilter. A number of extensions have been created for netfilter, allowing sophisticated analysis and processing of packets. However, one of the most powerful extensions, known as ipset, is most often overlooked.
What is ipset? In short, it allows matching a large set of IP addresses and/or networks with a single iptables statement – and you do not have to modify iptables startup or configuration files to alter what to match. ipset utility provided with ipset package does it all.
Iptables has one primary flaw: it doesn’t scale. In the worst possible case every packet has to pass all the rules to be either accepted or rejected. If you have 20-30 rules, that’s fine. If you have 2-3 thousand rules, it’s still fine. If you have much more rules, iptables will slow down the system up to the point of freezing.
Ipset, on the other hand, offers very quick matching algorithms. In live system matching every packet stands against 250 thousand addresses/networks, ipset causes additional delay of less than 0.05 second’s (the system in question has 2 virtual CPU cores, 2.4GHz each, and 4Gb of memory).
Please read a detailed iptables vs. ipset benchmark study to make sure. The question is, whether one has to filter that many IPs?
Modern Cyber Threats
Let’s do a quick experiment shall we? Set up a fresh, empty VPS and watch who’s connecting it. Just log a record to system log every time anyone initiates a TCP/IP connection.
Most likely you will see that your VPS is bombed with TCP/IP requests probing all popular ports (SMTP, IMAP4, POP3, SSH and so on). It’s not an attack or a port scan deliberately targeted at you. You’re just another IP address having ventured into the ‘Net, thus you will be analyzed.
I prefer to list the above mentioned IP source addresses as suspicious. The reason is simple: no one will perform another VMs scanning just to have fun.
Are there other IP addresses worth blocking and/or filtering? The answer is YES.
- More sophisticated filtering can be done if one loads and applies such IP blacklists as
DROP/EDROP lists from SpamHaus,
- StopForumSpam‘s dynamic blacklist (those belonging to comment spammers),
- MyIP‘s blacklists of IPs exhibiting suspicious behavior…
…and perhaps several others. The above gives the 250+ thousand entries I mentioned earlier.
One of the most useful features of ipset is hot swapping of ipsets on the fly, without stopping your computer and/or any other services. Just create a second ipset of the same type and run command like:
ipset swap set1 set2
Now set2 has all the records (IP entries) of former set1 question. All you need to do is to discard temporary effect (set ipset definitions) and erase unnecessary corresponding sets remaining.
All in All
Ipset, wherever supported (all Linux flavors will do), should be used to reduce log files sizes and speed up firewall procesing. That will also reduce memory footprint.
If you are using OpenVZ virtualization, you’re out of luck: the custom kernel is incompatible with ipset at the moment.