We undertook this effort to resolve several challenges we faced around excessive alerting of intrusion attempts against our infrastructure. Initially, we thought to simply filter out the messages from our alert system, but when delving into the issue a bit more deeply, we realized we had a number of requirements our existing infrastructure did not satisfy:
- We want to deny access from undesirable geographies.
- We need a lightweight solution that consumes fewer system resources and minimizes incremental addition of latency in our network responses
- Reduce load / use of services that were under seige from hackers attempting to compromise those services
- We required that responses be allowed for requests to vendors with support operations in high risk geographies.
Considering the security and system load implications of simple message filtering, we chose to block all traffic originating from geographies where we do not currently plan to provide services – but to allow responses from those geographies when we request services or updates. We chose to leverage the native iptables feature present in the Linux kernel on our servers to implement these features. In systems where ipset is present, we chose to leverage ipset to reduce the number of firewall rules required and thus reduce overall latency. The script defaults are to not use ipset as this was not necessarily available universally. In such cases, we constructed the rules as a tree to potentially reduce rule evaluation overhead by upwards of 95% as a rudimentary optimization on performance.
IPTables-CB ( Country Block ) is implemented as a script in the style of a sysvinit / systemd service. We implemented in this way to keep the IP range definitions by country up to date, minimizing queries to the IP / country mapping providers, and generating a saved iptables rule file that is rapidly loadable in the Linux kernel using iptables-restore capabilities of any Linux server. This is also available as an installable rpm for both SysVinit and systemd implementations of service management.
Configuration follows common convention for system services and is controlled through environment settings as set in the /etc/sysconfig/iptables-cb-config file. To enable generation using ipset, the configuration line stating “IPSET=” should be commented out, allowing the script to find the ipset binary and generate the rules accordingly.