Forum Discussion
ChadBigIP_14663
Nimbostratus
NimbostratusCreate Datagroup/iRule to use with Brute Force IP List
Hello,
How do I setup a Datagroup that has Hundreds & Hundreds of IP's and then create an iRule so
that it uses this list to block traffic on ALL PORTS, it appears that the f5 Data Group Editor
only allows you to enter in 1 IP Address at a time.
Here is the IP Address list that I want to use to be able to setup the Datagroup, then I need
the info of how to use that Datagroup in an iRule to setup blocking traffic on ALL PORTS.
http://danger.rulez.sk/projects/bruteforceblocker/blist.php
Thank you.
20 Replies
hoolioCirrostratus
Hi Chad,
If you want to do this once, you could convert the input data into the data group format for your LTM version and then merge it into the configuration.
Data group formats:
https://devcentral.f5.com/tech-tips/articles/v11-irules-data-group-updates
Merge info: https://devcentral.f5.com/wiki/tmsh.BigpipeMappings.ashx
tmsh load /sys config file /path/to/file.txt merge
If you want to update the data group on a regular basis, you could write an iControl script off of LTM or a tmsh script on LTM which downloads the blacklist, converts it to an external file and then imports it into the config. Here's a post on one portion of this:
https://devcentral.f5.com/community/group/asg/53/aft/2159165/showtab/groupforums2235504
Aaron
Aaron
Aaron
What_Lies_Bene1The actual iRule would look like this and would need to be applied to a wildcard Virtual Server;Create a Data Group (called source-ips below) with just IP the addresses of the hosts you’d like to reject when CLIENT_ACCEPTED { if { [class match [IP::addr [IP::client_addr] equals source-ips] } { Use drop to silently drop rather than reject which sends a RST reject } }- hoolioclass match performs a bitwise comparison of the IP address already, so you can remove that part:
when CLIENT_ACCEPTED { if { [class match [IP::client_addr] equals source-ips] } { Use drop to silently drop rather than reject which sends a RST reject } }
Aaron - What_Lies_Bene1Thanks.
ChadBigIP_14663I am on version 10.2.0
When I use the F5 iRule Editor, I go into Tools, and bring up the Data Group Editor.
There are optons for Address, Integer and String.
I press Add under Address
Name: source-ips
Address: 115.236.99.195
I do not have to put anything after the / where the other input field is, right?
Then after I add in some IP's. I press create.
Where do I put in DROP?
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals source-ips] } {
Use drop to silently drop rather than reject which sends a RST
reject }
}
Then I can use the iRule Editor and put this rule into each Virtual Server that I choose then, and use the >> arrows to move it
to Using this Rule then press OK.
Right?
Thanks!
-Chad- The_BhattmanHi Chad,
I believe Hoolio means the following
If you want to drop without sending a RST
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals source-ips] } {
drop
}
}
or
If you want to sent a RST
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals source-ips] } {
reject
}
}
I hope this helps
=Bhattman= - ChadBigIP_14663Thanks. That worked perfectly!
- ChadBigIP_14663Is it better to have REJECT or DROP?
Which is the best way to handle this when you are out right blocking IP addresses, or if you are using
the Quova Database to block a particular country outright? REJECT or DROP?
Thanks. - What_Lies_Bene1This calls for the classic 'it depends' answer! Reject and you're telling the source you are rejecting them but you're saving some minimal resources as hopefully the client won't keep trying. With drop, the source doesn't know immediately that you are rejecting their traffic but you'll no doubt see more retries, however, I'm sure they will work it out in short order.
- ChadBigIP_14663Here is another question:
In my Apache logs, I am seeing these:
142.4.117.129 - - [31/Jan/2013:11:12:27 -0500] "GET http://www.mmadsgadget.com/t?id=cbf37bc9-5698-f7c4-0938-5ca431da2d2d&size=300x250 HTTP/1.0" 302 219 "http://www.homesearchcar.com/?p=1252" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)"
The initial GET should be originating from my server like: GET "/dr1/home/index.html" 200 864 "Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)"
The initial GET is an EXTERNAL domain...which is BAD. But all responses from Apache are 302 (Redirect).
I think they are trying to use my server as a Proxy - but they are getting the response 302 from Apache.
Is there a way to create an iRule to prevent these from even hitting the webservers and DROP or REJECT directly from the iRule?
Maybe take the domain and put it into the iRule and if it is present, then DROP or REJECT?
I would like to just block the IP, but as you can see from this URL: http://www.projecthoneypot.org/ip_142.4.117.129 - there
are hundreds of IP's that are in the 142.X.XXX.XXX network, that is why if the iRule could look at the GET request domain - maybe
this would just deny the requests and take care of the hundreds of IP's that are trying this redirect exploit....
Thanks.
