- Description
- ipset
- NATS
- Installation
- Configuration
- Installing your own server
- Autonomous
- Data collection
Diswall (distributed firewall) - a client of distributed firewall working on many servers and using NATS for the transport level. Its purpose - blocking IPs with a blink of the eye on all servers in any infrastructure when some IP checks any of the closed ports of anyone of these servers. Therefore, diswall provides good protection of whole infrastructure (as anti-shodan) preventing intruder to get any system information.
The source of these "bad" IP-addresses is firewall log. But it is possible to use other sources in future (for example logs of WAF). DisWall reads journald messages filtered by special rules, no other info is extracted from logs and is not sent anywhere. All acquired IPs are added to a set in nftables or list in ipset and any open connection with that IP is closed (to prevent any interaction with open ports, for example exploitation of web-based vulnerability). This IP is simultaneously sent through NATS to the central server (diswall.stream) and is distributed to all other diswall clients.
You can use the same approach to distribute allowed IPs as a convenient way to control firewalls on your servers. In contrast to blocklist allowlist is unique for every client, it supports comments and can store whole networks.
Now the banning intervals are variable - we ban for 15 minutes the first time, then 30 minutes, then an hour times scan attempts. There are IPs that are banned for several months already.
When your server is started diswall client gets actual block and allow lists from NATS server. This provides protection in accordance with any events that occurred on other servers when any of them was offline.
(If you use obsolete iptables instead of nftables.)
Diswall uses two ipset lists - for blocked addresses (diswall-bl
) and allowed ones (diswall-wl
).
Allow list is created by ipset create -exist diswall-wl hash:net comment
command.
It allows usage of whole networks and adding comments for every record.
Block list is created by ipset create -exist diswall-bl hash:ip hashsize 32768 maxelem 1000000 timeout 86400
command.
It allows adding only individual IPs and doesn't support comments.
By default, these subjects are used for IP publishing:
diswall.whitelist.<client_name>.add.<hostname>
- to add some IP to allowlist;diswall.whitelist.<client_name>.del.<hostname>
- to remove IP from allowlist;diswall.blacklist.<client_name>.add.<hostname>
- to add some IP to blocklist;diswall.blacklist.<client_name>.del.<hostname>
- to remove IP from blocklist.
Also, there are two special subject - diswall.blacklist.<client_name>.init.<hostname>
и diswall.whitelist.<client_name>.init.<hostname>
.
They are used for initialization of the system (populating diswall-bl and diswall-wl lists).
But the most important subject is diswall.blacklist.new
- the server, that is accumulating the IPs is sending all IPs to block with this subject.
The simplest way to install diswall on your server is to use autoinstall functionality in diswall itself:
curl -s https://get.diswall.stream | bash
or
wget -q -O - https://get.diswall.stream | bash
It will download a short script that will determine your architecture and get the latest appropriate release binary from GitHub. Then it will start installation procedure from this binary.
This will copy the binary to /usr/bin
, create systemd service, diswall config (/etc/diswall/diswall.conf
)
and configure nftables in /etc/nftables.conf
or add iptables initialization script at /usr/bin/diswall_init.sh
.
DisWall configuration file is located at /etc/diswall/diswall.conf
. Its format is TOML.
If you register on our website and enter credentials in this config you will get all blocked IPs in a blink of an eye.
But you can use DisWall without registration (using 'default/default' credentials). In this case you will not get "fresh" attackers IPs,
only those known to our DB and have banning period more than 1 day.
As said before the firewall configuration can be either in /etc/nftables.conf
or /usr/bin/diswall_init.sh
, depending on firewall installed.
But you can edit appropriate file by using simple command diswall -e
, it will run your preferred editor with appropriate file path.
Also, DisWall has command line arguments listed below.
-h, --help Print this help menu
-v, --version Print version and exit
--install Install DisWall as system service (in client mode)
--update Update DisWall to latest release from GitHub
--uninstall Uninstall DisWall from your server
-e --edit Edit firewall config
-i --interface Run text interface to see what's going on
-d, --debug Show trace messages, more than debug
-g, --generate Generate fresh configuration file. It is better to redirect contents to file.
-c, --config FILE Set configuration file path
--log FILE Set log file path
-f, --pipe-file FILE Named pipe from which to fetch IPs
-s, --nats-server DOMAIN NATS server name
-P, --port PORT NATS server port
-n, --name NAME NATS client name (login)
-p, --pass PASSWORD NATS password
-l, --local-only Don't connect to NATS server, work only locally
-a, --allow-list Allow list name
-b, --block-list Block list name
--wl-add-ip IP Add this IP to allow list
--wl-add-comm COMMENT Comment to add with IP to allow list
--wl-del-ip IP Remove IP from allow list
--bl-add-ip IP Add this IP to block list
--bl-del-ip IP Remove IP from block list
-k, --kill Kill already established connection using `ss -K`
--server Start diswall NATS server to handle init messages.
To install and host your own diswall server, you need to install NATS and start diswall in --server
mode.
You can find NATS installation instructions in documentation.
After installation, you need to adjust permissions: example is below, and more examples are in documentation:
$ cat /etc/nats.conf
...
authorization {
default_permissions = {
subscribe = ["diswall.blacklist.init", "diswall.blacklist.new"]
}
DW_SERVER = {
publish = "_INBOX.>"
subscribe = ["diswall.blacklist.*", "diswall.whitelist.*"]
}
USER1 = {
publish = ["diswall.blacklist.client1.*", "diswall.whitelist.client1.*"]
subscribe = ["_INBOX.>", "diswall.blacklist.new", "diswall.whitelist.client1", "diswall.whitelist.client1"]
}
users = [
{user: dw_server, password: "QuodLicetJovi", permissions: $DW_SERVER}
{user: client1, password: "NonLicetBovi", permissions: $USER1}
]
}
You will need to create separate config file: diswall -g > /etc/diswall/diswall-server.conf
and create separate systemd unit to run /usr/bin/diswall -c /etc/diswall/diswall/diswall-server.conf
.
Make sure you set the client name in this config to dw_server
and use appropriate password.
And don't forget to set server_mode = true
.
If you don't want diswall to work as distributed firewall you can start it in local only mode, just set localonly = true
in config file.
In this case it will block all IPs that it gets from iptables log file without connection to NATS server.
If your node blocks some IP it will send bad IP to NATS server, and this IP will be added to bad IPs database.