--- categories: [''] date: 2022-04-19T14:00:06+02:00 description: "iblock: a tool to block scanner on unused ports, TCP connections, adding the IP to a Packet Filter table, on OpenBSD, using inetd service." draft: false include_toc: true show_comments: false tags: ['Monitoring','TCP','OpenBSD','PF','inetd'] title: "iblock: block scanner TCP connections under OpenBSD" translationKey: 'iblock-openbsd' --- ## Description **iblock** is a software whose purpose is to detect TCP connections, on specific ports, in order to block the corresponding IP adresses, through Packet Filter. The inetd service is responsible for active listening. - Author: Solène Rapenne - URL: https://tildegit.org/solene/iblock.git - list of banned URLs: http://perso.pw/blocklist.txt ## Installation Let's start with the copy of Git depository: ```sh $ git clone https://tildegit.org/solene/iblock.git $ cd iblock ``` Compile the binary — *OpenBSD contains natively the appropriate tools*: ```sh $ doas make cc -o iblock main.c ; vérifions la présence du binaire $ ls -al iblock -rwxr-xr-x 1 root moi 8496 Apr 10 12:23 iblock* ``` *If the compilation phase does not run correctly, contact Solène!* Solène did not create the "install" target, so let's copy it into the target directory: ```sh $ doas cp iblock /usr/local/bin/ $ ls -al /usr/local/bin/iblock -rwxr-xr-x 1 root wheel 8496 Apr 10 12:26 /usr/local/bin/iblock* ``` Let's move to the configuration: ## Configuration ### _iblock In first, create a dedicated user, named **_iblock**: `$ doas useradd -s /sbin/nologin _iblock` ### doas - Configuration file: `/etc/doas.conf` Now, add the below rule into the doas configuration file to allow the dedicated user to use `pfctl`: `permit nopass _iblock cmd /sbin/pfctl` ### inetd - Configuration file: `/etc/inetd.conf` Configure the **inetd** service: ```conf 666 stream tcp nowait _iblock /usr/local/bin/iblock iblock blocked_tcp 666 stream tcp6 nowait _iblock /usr/local/bin/iblock iblock blocked_tcp ``` - **666**: used port — *of course, you can change…* - the **_iblock** user manage the binary `iblock` - the last argument: the name of the added parameter to the IP addresses stored in the PF table. And, now, let's active and start the service: ```sh $ doas rcctl enable inetd && doas rcctl start inetd ``` ### shutdown Create a "backup" file to make the future table persistent in PF, on server shutdown and restart: ```sh # touch /etc/pf-blocked_tcp.txt ``` And, create|modify the `/etc/rc.shutdown` file: ```conf pfctl -t blocked_tcp -T show > /etc/pf-blocked_tcp.txt ``` ### PF Here is an instance of rules to add to Packet Filter: 1. one variable, named **block_tcp_ports**: a set of ports to monitor 2. one persistent table, named **blocked_tcp**. 3. the blocking rule, labeled **iblock**. 4. the two ultime rules analyze the TCP flow, on IPv(4|6) protocols, by active listening on the stored ports into the **block_tcp_ports** variable, and then redirect on the local interface, to the port **666**. ```conf block_tcp_ports = "{ 21 23 111 135 137:139 445 1433 3306 3389 5432 6000:6010 7890 9999 25565 27019 }" table persist file "/etc/pf-blocked_tcp.txt" ### iblock: block all in table block in quick from label iblock ### iblock: redirect to inetd service on localhost pass in quick on egress inet proto tcp to port $block_tcp_ports rdr-to 127.0.0.1 port 666 pass in quick on egress inet6 proto tcp to port $block_tcp_ports rdr-to ::1 port 666 ``` {{< note info >}} By default, the set of the ports are FTP, telnet, DNS, RPC, SMB, MSSQL, MySQL, PostgreSQL, Minecraft, Steam.
I add: X11, Goaccess, pfstat; *it's up to you…* {{}} {{< note warning >}} If you are hosting a service, such as DNS, you will block all connections, because by default the appropriate port 53 is scanned.
*(this applies to any service you host!)* {{}} Remember: reload the rule set:
`$ doas pfctl -f /etc/pf.conf` ## Monitoring > But, who is the monitor? ⇒ The activity is recorded in the two logs 'daemon' and 'messages'. ```sh $ grep iblock /var/log/messages Apr 10 12:26:38 sh1 iblock: blocking 46.23.148.71 Apr 10 12:30:28 sh1 iblock: blocking 180.225.98.236 Apr 10 12:31:48 sh1 iblock: blocking 46.23.157.246 Apr 10 12:32:43 sh1 iblock: blocking 95.57.218.103 Apr 10 12:36:00 sh1 iblock: blocking 103.89.91.158 Apr 10 12:38:41 sh1 iblock: blocking 23.128.248.41 ``` ⇒ Also, `pfctl` can show us the different IP addresses registered into the PF table: ```sh $ doas pfctl -t blocked_tcp -T show 23.128.248.41 46.23.148.71 46.23.157.246 95.57.218.103 103.89.91.158 180.225.98.236 ``` or event to use it to find the related statistics to — *[see documentation for column meaning](https://man.openbsd.org/pfctl#s~8)*: ```sh $ doas pfctl -sl | grep iblock iblock 44666 1188 58504 1188 58504 0 0 0 ``` ⇒ It's possible to monitoring the user **_iblock** — *but, in this case, not very useful*: - `top -U _iblock` - `fstat -u _iblock -n` - `ps aux -U _iblock` ### munin If you want to get statistics with {{< tag munin >}}, Solène provided me a script, to be executed with the rights of the user **_munin**: ```conf #!/bin/sh if [ "$1" = "config" ]; then echo "graph_title Banned IP absolute number" echo "graph_vlabel gauge" echo "a1.label value" exit 0 fi printf "a1.value " doas /sbin/pfctl -t blocked_tcp -T show | sort -n -u | awk 'END { print NR }' ``` This need to modify the configuration of {{< anchor doas doas >}} to allow the user **_munin** to use `pfctl`: ```conf # iblock: auth _munin-plugin to use pfctl permit nopass _munin-plugin cmd /sbin/pfctl args -t blocked_tcp -T show ``` --- Below, here a view of statistics of blocked IP addresses, gived by Solène, Ci-dessous, voici une image de statistiques d'adresses IP bloquées, restituée par Solène, on 2022/10/04: {{< img a="Statistics of IP addresses blocked with iblock" s="monitor/iblock-stats.png" w="250" >}} ## Troubleshooting Into the both logs 'daemon' and 'messages', see the message: `inetd[69849]: execv /usr/local/bin/iblock: No such file or directory` **Make sure you have compiled and copied the iblock binary to the target directory!** --- Voila! ---