EntryRise
/
MineWall
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Major detection improvement

master
Stefatorus 3 years ago
parent
d3a321a0d9
commit
8ea1dcab97
2 changed files with 11 additions and 10 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 19
      Tools/firewall.sh
  2. 2
      Tools/whitelister.sh

19
Tools/firewall.sh
View File

@ -33,13 +33,13 @@ apt -y -qq install curl iptables-persistent ipset conntrack > /dev/null
yum -y install curl iptables-service ipset-service conntrack > /dev/null yum -y install curl iptables-service ipset-service conntrack > /dev/null
echo "Installed required depends." echo "Installed required depends."
# The port you want to protect. for ranges, use FROM:TO # The port you want to protect. for ranges, use FROM:TO
protect_port=20003
protect_port=25565
# Max graylisted connections per second. This can be higher, and ensures an attack won't be too high for the second pass firewall. # Max graylisted connections per second. This can be higher, and ensures an attack won't be too high for the second pass firewall.
graylist_verified=100
graylist_unverified=15
graylist_concurrent=3
graylist_verified=8
graylist_unverified=7
graylist_concurrent=2
# How many bytes before sending the player to the remote checker to check for info. Please don't change if you don't # How many bytes before sending the player to the remote checker to check for info. Please don't change if you don't
# know what you're doing as you may get yourself locked out of the API. # know what you're doing as you may get yourself locked out of the API.
@ -47,7 +47,7 @@ graylist_concurrent=3
checker_minconn=26214400 checker_minconn=26214400
# MISC. THESE VALUES MAY CHANGE IN THE FUTURE # MISC. THESE VALUES MAY CHANGE IN THE FUTURE
target_chain=INPUT
target_chain=DOCKER
country_list="https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/" country_list="https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/"
safety_list="https://api.entryrise.com/minewall/" safety_list="https://api.entryrise.com/minewall/"
@ -64,7 +64,7 @@ ipset destroy mw_graylist
ipset destroy mw_whitelist ipset destroy mw_whitelist
ipset destroy mw_checklist ipset destroy mw_checklist
ipset -N -! mw_blacklist hash:net maxelem 100000 timeout 300
ipset -N -! mw_blacklist hash:net maxelem 100000 timeout 3600
ipset -N -! mw_graylist hash:net maxelem 100000 ipset -N -! mw_graylist hash:net maxelem 100000
ipset -N -! mw_whitelist hash:net maxelem 100000 ipset -N -! mw_whitelist hash:net maxelem 100000
ipset -N -! mw_checklist hash:net maxelem 30 timeout 300 ipset -N -! mw_checklist hash:net maxelem 30 timeout 300
@ -76,7 +76,7 @@ for ip in $(curl -L $safety_list/{wireless,residential,business}.iplist); do
done done
# Create the graylist of safer countries. It's really important for the base check. # Create the graylist of safer countries. It's really important for the base check.
echo "Generating graylist for the firewall..." echo "Generating graylist for the firewall..."
for ip in $(curl -L $country_list/{ro,hu,gb,au,dk,bg,ie,pt,gr}.cidr); do
for ip in $(curl -L $country_list/{gb,de,fr,ro}.cidr); do
ipset -A mw_graylist $ip ipset -A mw_graylist $ip
done done
@ -91,9 +91,10 @@ done
iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_whitelist src -j ACCEPT iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_whitelist src -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_blacklist src -j DROP iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_blacklist src -j DROP
iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist src -m limit --limit $graylist_verified/s -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m connlimit --connlimit-above $graylist_concurrent -j DROP
iptables -A MineWall -p tcp --dport $protect_port --syn -m limit --limit $graylist_unverified/s -j ACCEPT iptables -A MineWall -p tcp --dport $protect_port --syn -m limit --limit $graylist_unverified/s -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m connlimit ! --connlimit-above $graylist_concurrent -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist src -m limit --limit $graylist_verified/s -j ACCEPT
iptables -A MineWall -p tcp --dport $protect_port --syn -j DROP iptables -A MineWall -p tcp --dport $protect_port --syn -j DROP

2
Tools/whitelister.sh
View File

@ -5,7 +5,7 @@ safety_list="https://api.entryrise.com/minewall/"
# Make sure to change protect port to your own protect port. # Make sure to change protect port to your own protect port.
# $6 > X means the packet count before validating user. # $6 > X means the packet count before validating user.
# Recommending a value for X between 10k (~100 seconds) and 50k (~500 seconds) for validation) # Recommending a value for X between 10k (~100 seconds) and 50k (~500 seconds) for validation)
command_check=$(conntrack -L | awk '{if ($6 > 10000 && $4 == "ESTABLISHED" && $8 == "dport=20003") print $5}');
command_check=$(conntrack -L | awk '{if ($6 > 300000 && $4 == "ESTABLISHED" && $8 == "dport=20003") print $5}');
#command_check=$(conntrack -L | awk '{if ($6 > PACKETS_TO_WHITELIST && $4 == "CONNECTION FULLY RUNNING" && $8 == "dport=PORT OF SERVER") print $5}'); #command_check=$(conntrack -L | awk '{if ($6 > PACKETS_TO_WHITELIST && $4 == "CONNECTION FULLY RUNNING" && $8 == "dport=PORT OF SERVER") print $5}');
echo "Updating blacklist for firewall." echo "Updating blacklist for firewall."

Write Preview
Loading…
Cancel
Save