From 8ea1dcab976ac0469678f4b7e9cad65c47fb23c8 Mon Sep 17 00:00:00 2001 From: Stefatorus Date: Sat, 30 Oct 2021 12:13:43 +0300 Subject: [PATCH] Major detection improvement --- Tools/firewall.sh | 19 ++++++++++--------- Tools/whitelister.sh | 2 +- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/Tools/firewall.sh b/Tools/firewall.sh index f6fb667..432b656 100644 --- a/Tools/firewall.sh +++ b/Tools/firewall.sh @@ -33,13 +33,13 @@ apt -y -qq install curl iptables-persistent ipset conntrack > /dev/null yum -y install curl iptables-service ipset-service conntrack > /dev/null echo "Installed required depends." # The port you want to protect. for ranges, use FROM:TO -protect_port=20003 +protect_port=25565 # Max graylisted connections per second. This can be higher, and ensures an attack won't be too high for the second pass firewall. -graylist_verified=100 -graylist_unverified=15 -graylist_concurrent=3 +graylist_verified=8 +graylist_unverified=7 +graylist_concurrent=2 # How many bytes before sending the player to the remote checker to check for info. Please don't change if you don't # know what you're doing as you may get yourself locked out of the API. @@ -47,7 +47,7 @@ graylist_concurrent=3 checker_minconn=26214400 # MISC. THESE VALUES MAY CHANGE IN THE FUTURE -target_chain=INPUT +target_chain=DOCKER country_list="https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/" safety_list="https://api.entryrise.com/minewall/" @@ -64,7 +64,7 @@ ipset destroy mw_graylist ipset destroy mw_whitelist ipset destroy mw_checklist -ipset -N -! mw_blacklist hash:net maxelem 100000 timeout 300 +ipset -N -! mw_blacklist hash:net maxelem 100000 timeout 3600 ipset -N -! mw_graylist hash:net maxelem 100000 ipset -N -! mw_whitelist hash:net maxelem 100000 ipset -N -! mw_checklist hash:net maxelem 30 timeout 300 @@ -76,7 +76,7 @@ for ip in $(curl -L $safety_list/{wireless,residential,business}.iplist); do done # Create the graylist of safer countries. It's really important for the base check. echo "Generating graylist for the firewall..." - for ip in $(curl -L $country_list/{ro,hu,gb,au,dk,bg,ie,pt,gr}.cidr); do + for ip in $(curl -L $country_list/{gb,de,fr,ro}.cidr); do ipset -A mw_graylist $ip done @@ -91,9 +91,10 @@ done iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_whitelist src -j ACCEPT iptables -A MineWall -p tcp --dport $protect_port -m set --match-set mw_blacklist src -j DROP -iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist src -m limit --limit $graylist_verified/s -j ACCEPT +iptables -A MineWall -p tcp --dport $protect_port --syn -m connlimit --connlimit-above $graylist_concurrent -j DROP + iptables -A MineWall -p tcp --dport $protect_port --syn -m limit --limit $graylist_unverified/s -j ACCEPT -iptables -A MineWall -p tcp --dport $protect_port --syn -m connlimit ! --connlimit-above $graylist_concurrent -j ACCEPT +iptables -A MineWall -p tcp --dport $protect_port --syn -m set --match-set mw_graylist src -m limit --limit $graylist_verified/s -j ACCEPT iptables -A MineWall -p tcp --dport $protect_port --syn -j DROP diff --git a/Tools/whitelister.sh b/Tools/whitelister.sh index 2a611ad..bd2dd2f 100644 --- a/Tools/whitelister.sh +++ b/Tools/whitelister.sh @@ -5,7 +5,7 @@ safety_list="https://api.entryrise.com/minewall/" # Make sure to change protect port to your own protect port. # $6 > X means the packet count before validating user. # Recommending a value for X between 10k (~100 seconds) and 50k (~500 seconds) for validation) -command_check=$(conntrack -L | awk '{if ($6 > 10000 && $4 == "ESTABLISHED" && $8 == "dport=20003") print $5}'); +command_check=$(conntrack -L | awk '{if ($6 > 300000 && $4 == "ESTABLISHED" && $8 == "dport=20003") print $5}'); #command_check=$(conntrack -L | awk '{if ($6 > PACKETS_TO_WHITELIST && $4 == "CONNECTION FULLY RUNNING" && $8 == "dport=PORT OF SERVER") print $5}'); echo "Updating blacklist for firewall."