CSF - LFD blocking on Openvz Hostnode

CSF-LFD openvz hostnode blocking

Created some scripts for blocking ips directly on the Openvz hostnode
Including an notify script from vps to node for (temporary) blocking and unblock.

Hostnode requirements:
CSF /LFD install
IPSET (yum install ipset)

Openvz container:
CSF /LFD install
SSHPASS (yum install sshpass)

This scripts will notify the hostnode (throught ssh) that an ip must be blocked or unblocked on the hostnode.
The ip will be blocked before before it reaches the venet0 interface. (Security: Right at the doorstep of your VPS network)

The Hostnode takes care off all blocking throught IPset (can handle a huge amount of ip’s inside iptables) (Result: performance increase)
VPS servers on OpenVZ cannot use ipset because of openvz kernel resrictions so are limited to the csf ip deny limit.

The hostnode is also blocking all RBL lists used in csf.blocklists on all vps servers attached on venet0.
So the RBL option should not be enabled anymore in the csf.conf on the vps servers. (Result: performance increase)

I’m not a shell/iptables programmer, I just needed a script that does the job!
So it is possible that some code can be simplified. (any ideas are welcome).
I hope you find it usefull. Do you like it? Get social with us! and Share.

Best regards,
Marco Tidu

Container (vps) changes

Install sshpass (yum install sshpass)

Create folder notify-hostnode in /etc/csf/

Upload config.conf inside the /etc/csf/notify-hostnode/ folder.
Upload notify.sh inside the /etc/csf/notify-hostnode/ folder and chmod file 755.
Upload remove.sh inside the /etc/csf/notify-hostnode/ folder and chmod file 755.

Change the SSHPASS and SSHACCOUNT to your needs inside config.conf

Edit csf.conf find line starting with BLOCK_REPORT = “”
Change the line to read BLOCK_REPORT = “/etc/csf/notify-hostnode/notify.sh”

Edit csf.conf find line starting with UNBLOCK_REPORT = “”
Change the line to read UNBLOCK_REPORT = “/etc/csf/notify-hostnode/remove.sh”

FILENAME: config.conf

SSHPASS="password"
SSHCOMMAND="ssh -p 22 -T -o StrictHostKeyChecking=no -o BatchMode=no"
SSHACCOUNT="user@yourhostnode.com"

FILENAME: notify.sh

###########################################################################################
#
# Virtual containers
#
# Need sshpass for connection to hostnode (yum install sshpass)
# create folder notify-hostnode in /etc/csf/
# add this notify.sh file into the folder /etc/csf/notify-hostnode/ and chmod file 755
#
# Edit csf.conf find line starting with BLOCK_REPORT = ""
# change the line to read BLOCK_REPORT = "/etc/csf/notify-hostnode/notify.sh"
#
###########################################################################################

###########################################################################################
# Add a specific IP address to your newly created blacklist on hostnode throught ssh
###########################################################################################
DIR="${BASH_SOURCE%/*}"
source "$DIR/config.conf"
sshpass -p "$SSHPASS" $SSHCOMMAND $SSHACCOUNT << EOF_run_commands


###########################################################################################
## check IPv4 or IPv6
###########################################################################################
if [[ $1 =~ .*:.* ]]
then


###########################################################################################
## if "IPv6" add to set blacklist_6 or blacklist_class_6 if is network class "CIDR /24"
###########################################################################################
if [[ $1 == *"/"* ]]
then
  ipset add blacklist_class_6 $1
echo "ipset add blacklist_class_6 $1" >> ../csf_class_6_block.sh
else
  ipset add blacklist_6 $1
fi
else


###########################################################################################
## if "IPv4" add to set blacklist or blacklist_class if is network class "CIDR /24" 
###########################################################################################
if [[ $1 == *"/"* ]]
then
  ipset add blacklist_class $1
echo "ipset add blacklist_class $1" >> ../csf_class_block.sh
else
  ipset add blacklist $1
fi
fi 
EOF_run_commands
exit

FILENAME: remove.sh


###########################################################
# CSF remove ip from hostnode OpenVZ
#
# add this remove.sh file into the folder /etc/csf/notify-hostnode/ and chmod file 755
#
# Edit csf.conf find line starting with UNBLOCK_REPORT = ""
# change the line to read UNBLOCK_REPORT = "/etc/csf/notify-hostnode/remove.sh"
############################################################

###########################################################################################
# Remove a specific IP address from blacklist on hostnode throught ssh
###########################################################################################
DIR="${BASH_SOURCE%/*}"
source "$DIR/config.conf"
sshpass -p "$SSHPASS" $SSHCOMMAND $SSHACCOUNT << EOF_run_commands


###########################################################################################
## check IPv4 or IPv6
###########################################################################################
if [[ $1 =~ .*:.* ]]
then


###########################################################################################
## if "IPv6" remove from set blacklist_6 or blacklist_class_6 if is network class "CIDR /24"
###########################################################################################
if [[ $1 == *"/"* ]]
then
  ipset del blacklist_class_6 $1
else
  ipset del blacklist_6 $1
fi
else


###########################################################################################
## if "IPv4" remove from set blacklist or blacklist_class if is network class "CIDR /24" 
###########################################################################################
if [[ $1 == *"/"* ]]
then
  ipset del blacklist_class $1
else
  ipset del blacklist $1
fi
fi 
EOF_run_commands
exit

###
# Remove a specific IP address from your blacklist on hostnode
###
if [[ $1 == *"/"* ]]
then
  ipset del blacklist_class $1
else
  ipset del blacklist $1
fi
EOF_run_commands
exit

TIP! use ssh multiplex to limit connections to hostnode

I recommend using ssh multiplex (so open ssh connections will be reused.)
create /user/.ssh/config (user=the user that need to connect to hostnode)

host *
    ControlMaster auto
    ControlPath ~/.ssh/master-%r@%h:%p.socket
    ControlPersist 30m

save config file and restart sshd

service sshd restart

OpenVZ Hostnode changes

install ipset (yum install ipset)
change inside /etc/csf/csf.conf

LF_IPSET = “0” to LF_IPSET = “1”
and change deny_ip limit (adjust to the cpu power and memory of the hostnode)
DENY_IP_LIMIT = “200” to DENY_IP_LIMIT = “10000”

Upload csfpre.sh inside the /etc/csf/ folder (you should/could already have this..)
Upload csfpost.sh inside the /etc/csf/ folder

FILENAME: csfpre.sh

iptables -A INPUT -i venet0 -j ACCEPT
iptables -A OUTPUT -o venet0 -j ACCEPT
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0
ip6tables -A INPUT -i venet0 -j ACCEPT
ip6tables -A OUTPUT -o venet0 -j ACCEPT
ip6tables -A FORWARD -j ACCEPT -p all -s 0/0 -i venet0
ip6tables -A FORWARD -j ACCEPT -p all -s 0/0 -o venet0

FILENAME: csfpost.sh


##################################################################################
# CSF-LFD Hostnode (OPENVZ) block ip (iptables - ipset) on all CT
#
# IPset doesn't work inside CT (openvz kernel restrictions), but works on Hostnode
# IPset can have an really huge IP set for iptables firewall consumption,
# blocking all harmfull ip's direct at the frontdoor off your VPS servers.
#
# Requires: IPSET (yum install ipset) (verify working ipset: bash# ipset list)
# Enable IPSET usage in csf.conf on HOSTNODE (restart csf: bash# csf -ra)
#
# Written: Marco Tidu
# Website: https://www.mangelot-hosting.nl
##################################################################################



##################################################################################
# SSH NOTIFICATION FROM HARMFULL IP ON VPS TO HOSTNODE. 
# (Requires scripts on CT and CSF (see SECTION:Reporting Settings)
# 
# Requires: sshpass (yum install sshpass)
# Advise: 1. Use ssh multiplex (faster ssh connections)
#	  2. Allow ip's from CT in csf.allow on HOSTNODE
#
# Block notified IP from CT on HOSTNODE interface venet0 (IPSET)
# So all blocked ip's will never reach other CT on same HOSTNODE.
##################################################################################

echo ""
echo "##################################################################################"
echo "Starting CSF/LFD Hostnode Blocker for OpenVZ containers"
echo "##################################################################################"
echo ""

##################################################################################
# Create IPSET chain for IPTABLES for blocking rule
##################################################################################

## IPv4
# create ipset ipv4 (for the CSF notify from inside the CT)
echo "Create IPv4 blacklist"
	ipset create blacklist hash:ip hashsize 4096

echo "Create IPv4 blacklist (for network classes CIDR)"
	ipset create blacklist_class hash:net hashsize 4096
echo ""

## IPv6
# create ipset ipv6 (for the CSF notify from inside the CT)
echo "Create IPv6 blacklist"
	ipset create blacklist_6 hash:ip hashsize 4096

echo "Create IPv6 blacklist (for network classes CIDR)"
	ipset create blacklist_class_6 hash:net hashsize 4096
echo ""


##################################################################################
# Block all notified IPv4 or IPv6 (example: xxx.xxx.xxx.xxx) 
##################################################################################

## IPv4
# all ipv4 addresses in ipset with set name blacklist should use this rule.
echo "Create IPv4 blacklist rules"
iptables -I INPUT -i venet0 -m set --set blacklist src -j DROP    
iptables -I OUTPUT -o venet0 -m set --set blacklist src -j DROP
iptables -I FORWARD -i venet0 -m set --set blacklist src -j DROP
iptables -I FORWARD -o venet0 -m set --set blacklist src -j DROP

## IPv6
# all ipv6 addresses in ipset with set name blacklist_6 should use this rule.
echo "Create IPv6 blacklist_6 rules"
ip6tables -I INPUT -i venet0 -m set --set blacklist_6 src -j DROP
ip6tables -I OUTPUT -o venet0 -m set --set blacklist_6 src -j DROP
ip6tables -I FORWARD -i venet0 -m set --set blacklist_6 src -j DROP
ip6tables -I FORWARD -o venet0 -m set --set blacklist_6 src -j DROP
echo ""


##################################################################################
# Block all notified IPv4 or IPv6 networks (example: xxx.xxx.xxx.xxx/24)  
##################################################################################

## IPv4
# all ipv4 classes CIDR in ipset with set name blacklist_class should use this rule.
echo "Create IPv4 blacklist_class rules"
iptables -I INPUT -i venet0 -m set --set blacklist_class src -j DROP    
iptables -I OUTPUT -o venet0 -m set --set blacklist_class src -j DROP
iptables -I FORWARD -i venet0 -m set --set blacklist_class src -j DROP
iptables -I FORWARD -o venet0 -m set --set blacklist_class src -j DROP

## IPv6
# all ipv6 classes CIDR in ipset with set name blacklist_class_6 should use this rule.
echo "Create IPv4 blacklist_class_6 rules"
ip6tables -I INPUT -i venet0 -m set --set blacklist_class_6 src -j DROP
ip6tables -I OUTPUT -o venet0 -m set --set blacklist_class_6 src -j DROP
ip6tables -I FORWARD -i venet0 -m set --set blacklist_class_6 src -j DROP
ip6tables -I FORWARD -o venet0 -m set --set blacklist_class_6 src -j DROP
echo ""


##################################################################################
# if CSF (HOSTNODE) has denied IP's (csf.deny) then deny on all CT 
##################################################################################

## IPv4
# Block hostnode csf denied ips (ipv4) on all CT (csf > ipset > chain_DENY)
echo "Create IPv4 rules will be blocked inside CT.  iplists from: HOSTNODE: (/etc/csf/csf.deny)"
iptables -I INPUT -i venet0 -m set --set chain_DENY src -j DROP    
iptables -I OUTPUT -o venet0 -m set --set chain_DENY src -j DROP
iptables -I FORWARD -i venet0 -m set --set chain_DENY src -j DROP
iptables -I FORWARD -o venet0 -m set --set chain_DENY src -j DROP

## IPv6
# Block hostnode csf denied ips (ipv6) on all CT (csf > ipset > chain_6_DENY)
echo "Create IPv6 rules will be blocked inside CT.  iplists from: HOSTNODE: (/etc/csf/csf.deny)"
ip6tables -I INPUT -i venet0 -m set --set chain_6_DENY src -j DROP
ip6tables -I OUTPUT -o venet0 -m set --set chain_6_DENY src -j DROP
ip6tables -I FORWARD -i venet0 -m set --set chain_6_DENY src -j DROP
ip6tables -I FORWARD -o venet0 -m set --set chain_6_DENY src -j DROP
echo ""





##################################################################################
# Lets also include the RBL lists (ipv4) activated On HOSTNODE. 
# Ip will never reach the CT, HOSTNODE (IPSET) blocks all on Venet0.
#
# HOSTNODE: Enable RBL lists in csf.blocklists 
# CT: Disable RBL in csf.blocklists (hostnode does the hard work)
#
# Advantage: Performance on CT smaller (numiptent / csf.conf > DENY_IP_LIMIT) 
##################################################################################


# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_SPAMDROP) 
if ipset list -n|command grep -q "bl_SPAMDROP"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_SPAMDROP"
	iptables -I INPUT -i venet0 -m set --set bl_SPAMDROP src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_SPAMDROP src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_SPAMDROP src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_SPAMDROP src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_SPAMEDROP) 
if ipset list -n|command grep -q "bl_SPAMEDROP"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_SPAMEDROP"
	iptables -I INPUT -i venet0 -m set --set bl_SPAMEDROP src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_SPAMEDROP src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_SPAMEDROP src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_SPAMEDROP src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_DSHIELD) 
if ipset list -n|command grep -q "bl_DSHIELD"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_DSHIELD"
	iptables -I INPUT -i venet0 -m set --set bl_DSHIELD src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_DSHIELD src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_DSHIELD src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_DSHIELD src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_TOR) 
if ipset list -n|command grep -q "bl_TOR"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_TOR"
	iptables -I INPUT -i venet0 -m set --set bl_TOR src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_TOR src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_TOR src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_TOR src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_BOGON) 
if ipset list -n|command grep -q "bl_BOGON"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_BOGON"
	iptables -I INPUT -i venet0 -m set --set bl_BOGON src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_BOGON src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_BOGON src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_BOGON src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_HONEYPOT) 
if ipset list -n|command grep -q "bl_HONEYPOT"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_HONEYPOT"
	iptables -I INPUT -i venet0 -m set --set bl_HONEYPOT src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_HONEYPOT src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_HONEYPOT src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_HONEYPOT src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_CIARMY) 
if ipset list -n|command grep -q "bl_CIARMY"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_CIARMY"
	iptables -I INPUT -i venet0 -m set --set bl_CIARMY src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_CIARMY src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_CIARMY src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_CIARMY src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_BFB) 
if ipset list -n|command grep -q "bl_BFB"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_BFB"
	iptables -I INPUT -i venet0 -m set --set bl_BFB src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_BFB src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_BFB src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_BFB src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_RBN) 
if ipset list -n|command grep -q "bl_RBN"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_RBN"
	iptables -I INPUT -i venet0 -m set --set bl_RBN src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_RBN src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_RBN src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_RBN src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_OPENBL) 
if ipset list -n|command grep -q "bl_OPENBL"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_OPENBL"
	iptables -I INPUT -i venet0 -m set --set bl_OPENBL src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_OPENBL src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_OPENBL src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_OPENBL src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_AUTOSHUN) 
if ipset list -n|command grep -q "bl_AUTOSHUN"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_AUTOSHUN"
	iptables -I INPUT -i venet0 -m set --set bl_AUTOSHUN src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_AUTOSHUN src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_AUTOSHUN src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_AUTOSHUN src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_MAXMIND) 
if ipset list -n|command grep -q "bl_MAXMIND"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_MAXMIND"
	iptables -I INPUT -i venet0 -m set --set bl_MAXMIND src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_MAXMIND src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_MAXMIND src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_MAXMIND src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_BDE) 
if ipset list -n|command grep -q "bl_BDE"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_BDE"
	iptables -I INPUT -i venet0 -m set --set bl_BDE src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_BDE src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_BDE src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_BDE src -j DROP
fi

# Block hostnode RBL ips (ipv4) on all CT (csf > ipset > bl_BDEALL) 
if ipset list -n|command grep -q "bl_BDEALL"; then
echo "Create IPv4 rules will be blocked inside CT.  iplists from: RBL bl_BDEALL"
	iptables -I INPUT -i venet0 -m set --set bl_BDEALL src -j DROP    
	iptables -I OUTPUT -o venet0 -m set --set bl_BDEALL src -j DROP
	iptables -I FORWARD -i venet0 -m set --set bl_BDEALL src -j DROP
	iptables -I FORWARD -o venet0 -m set --set bl_BDEALL src -j DROP
fi

echo ""
echo "##################################################################################"
echo "Running CSF/LFD Hostnode Blocker for OpenVZ containers"
echo "##################################################################################"
echo ""
echo "CSF has been (re)started so the ipset tables has been flushed"
echo "You can add previous blocked ipv4 networks with command: ./csf_class_block.sh"
echo "or ipv6 networks by executing: ./csf_class_6_block.sh"
echo ""