Monthly Archives: May 2013

Faster IPSET loading

IPSETs are a very efficient way to manage a large list of IP addresses for your iptables firewall. Rather than have an individual rule for each and every address or network that needs to be dropped or rejected, with ipsets you can have a single iptables rule that tests an entire list of addresses. The rule would look something like this:

-I INPUT -m set --match-set blacklist src -j DROP

where the -m set tells iptables to look for an ipset with a name given by the --match-set option. In this case, the ipset’s name is blacklist. (Note: this will give you an error if you haven’t already created an ipset by that name). You can create an ipset by scripting something like this:

ipset --create blacklist iphash

After the ipset has been created, the next task is to load the IP addresses from the blacklist into it. Bonekracker has a nice post on the Gentoo forums with information on how to do this from a text file with blacklisted IPs losartan potassium 100mg.

When I tried to use his approach for a 3,000+ entry blacklist, derived from my recent botnet attack, I found that it took a very long time (more than a minute) to load the blacklist into the ipset. A primitive approach to profiling showed that the slowdown was in the following code:

while [ $((--i)) -ge 0 ]; do
ipset --add temp_ipset ${networks[i]}

where ipset --add ipset_name ip is the code that adds IP addresses, one at a time, to the ipset. Unfortunately, this is very slow.

A faster approach is to use the ipset restore command. In order to use it, the text file needs to be formatted in a special way by adding add ipset_name in front of each IP address in the list, like so:

add temp_ipset -exist
add temp_ipset -exist
add temp_ipset -exist
add temp_ipset -exist

Then you can replace the while loop above with the following code, and voila, a 10x to 100x speedup.

$ipset restore < $ip_list

With this change, loading the ipset is nearly instantaneous and I have no qualms about loading my 3,696 entry bad boy list into an ipset on each bootup, effectively locking the barn door now that the horse is gone.

Hope this helps you make use of ipsets for your firewall.

Sneaky IE10 Default Change

[Rant] It’s no secret that Microsoft has been aggressively pushing Internet Explorer 10 (IE10) on their Windows 7 customers, for example by changing the Importance rating in Windows Update from the usual “Recommended” to “Important”. It’s a little beyond me why all the other Internet Explorer version upgrades were “Recommended”, but suddenly IE10 is “Important” losartan potassium 25mg. What makes it so special?

Apparently, this isn’t enough control for Microsoft. With the installation of IE10, a new, tiny little checkbox has appeared on – of all places – the IE10 About page. What does the check box do? It authorizes the installation of new IE versions automatically. Since this is new, intrusive behavior, one would expect to see the checkbox defaulted to “Off”. Not so. It seems that actually asking up front whether they want a new version of IE runs the risk that people might actually say “no”. Having a tiny checkbox hidden away on an obscure page does away with this risk to Microsoft’s IE marketing plans.

This is just plain sneaky. No one ever looks at their About page. Why hide it there instead of on the Internet Option dialog? And why make the default be to install new versions automatically?

This kind of thing is not just annoying. It’s dirty rotten sneaky. Sneaky, sneaky, sneaky. They should be ashamed of themselves. [/Rant]

Botnet Attack

As has been extensively publicized elsewhere, a very large scale botnet has been organized to attack sites using WordPress. This site has the dubious honor to have been included this last weekend.

The attack attempts to log in to the site using the user name “admin” or a number of variants on that name, then uses a dictionary of common passwords to try to brute force a log in. Attempts to thwart the attack by blocking individual IP addresses are a common response, but with over 1666 distinct IP addresses used in the attack anything short of automatic detection and blocking is more or less fruitless.

Some statistics:

  • Total attempts: 2,291
  • May 7 attempts: 241
  • May 10 attempts: 1,285
  • May 11 attempts: 792

Here’s a file containing the details, in the event that someone somewhere with the power to investigate these things might find it helpful Find Out More.