Page 1 of 1

How to create a rule to allow access to port from certain IP

Posted: 14 Jun 2014, 07:00
by Sarge
Hello to everyone !
Is it possible to use CSF to allow access to a port only from a certain IPs ?
It seems to be a simple question - but I did not find an answer yet.

Let's say I have SMTP on 110 port.
I want to allow access only from external IP 68.192.172.14 and 85.5.39.156 (what means only these 2 IPs are allowed to send emails)
All other Ips must be blocked by default.

Thank you in advance for a hint "how to" !

Regards
Serge

Re: How to create a rule to allow access to port from certai

Posted: 16 Jun 2014, 04:48
by Sergio
First, don't add the port to TCP/UDP allowed list of ports in "FIREWALL CONFIGURATION".
Then add the IPs to the "FIREWALL ALLOW IPs" with the port that you want:

# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information
#
tcp|in|d=110|s=68.192.172.14
tcp|out|d=110|s=68.192.172.14

tcp|in|d=110|s=85.5.39.156
tcp|out|d=110|s=85.5.39.156

Something out of the question, port 110 is not for sending emails, port 110 is to receive emails; port 25 is the one to send emails.

Sergio

Re: How to create a rule to allow access to port from certai

Posted: 16 Jun 2014, 13:19
by Sarge
Sergio, thank you VERY MUCH for the answer !
Let me ask your opinion about a complex REGEX rule, although I'm not sure this is possible with CSF or LFD.

Let's say we see in our apache_access_log too many accesses from an IP to the pages like
"http://example.domain/search.php?query= ... end=Submit"
"http://example.domain/search.php?query= ... end=Submit"
All accesses are successful, but TOO much for a single IP.

Let's say we want to restrict the access to such pages/search queries - no more than 50 requests per 60 seconds from a single IP.
If more - it means it's not a human search - so we need to block the IP for a certain time as LFD does.

Task 1 - we have to analyze the log for */search.php?query=* to calculate - is there an access exceeding our rules ?
Task 2 - we have to place somewhere a rule to block such an IP for a certain time - and this blocking action must be performed by LFD.

The idea is very same like LFD but not for login failure - for too much accesses to a certain page - what page ?- we define that by a REGEX rule analyzing apache_log PLUS calculating how much "access from an IP per 60 second" to such pages PLUS comparing with our rule - and as a last step - creating an IPTABLE blocking rule similar what LFD does for login failures.

Have you ever heard about a firewall instrument what allows to arrange such a blocking on Linux server ?

I found Fail2ban - but it does approximately same what LFD does, again blocks only login failures.

Thank you for any hint in advance !
Have a nice day !
Regards
Serge

Re: How to create a rule to allow access to port from certai

Posted: 16 Jun 2014, 16:03
by Sergio
You can create that rule and add it to CSF, please read /usr/local/csf/bin/regex.custom.pm for more information.

Re: How to create a rule to allow access to port from certai

Posted: 16 Jun 2014, 16:55
by Sarge
I agree, but there is direct reference to a pattern in apache_log like
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
}

In my case we have just like
"http://example.domain/search.php?query= ... end=Submit"
+
our maxlevel rule 60 seconds / 50 "search.php?query" from IP XX.XX.XXX.XX = 1.2 maxlevel

How to find any pattern *search.php?query* ?
How to calculate more complex maths like
60 seconds / 60 "search.php?query" from IP 76.65.463.16 = 1 AND compare with our rule above where maxlevel = 1.2 ?
Because it's less that our maxlevel 1 - it means we have to block IP 76.65.463.16 for 1 hour (for example) ?

Dear Sergio :) I guess it's not simple, although I'm surprised a little why such a rule never used before.
I'm thanking you anyway for your hints - but seems CSF/LFD can't do it ?

Best regards,
Serge



There is no complex math

Re: How to create a rule to allow access to port from certai

Posted: 16 Jun 2014, 18:15
by Sergio
As you said in a prior post:
Let's say we see in our apache_access_log too many accesses from an IP to the pages like
"http://example.domain/search.php?query= ... end=Submit"
"http://example.domain/search.php?query= ... end=Submit"
All accesses are successful, but TOO much for a single IP.
Then you have to create your own regex rule using all that info, the example the file is just for reference. You can create any rule you want.

For some examples of regex rules created for regex.custom.pm see the sticky: viewtopic.php?f=6&t=7517