Vallumd: Tool to Centralize or Distribute IPset Blacklists

If you maintain a server on the Internet, it’s very expected that you encounter one or more brute force attacks. Not a problem, just install fail2ban. But if you’re running multiple servers, each of them running their fail2ban instance, they’ll all have unlike IP addresses in the ban list. Wouldn’t it be pleasant to have a mutual ban list across all your fail2ban instances? Or in case all your machines are behind a router or firewall you manage yourself, wouldn’t it be good to drop malicious traffic at the edge of your network? That’s exactly what vallumd assists to accomplish.  The name vallumd comes from the Latin word “vallum”, which means wall. And that’s what vallumd does: build a wall to protect your digital empire.

Usage

To use vallumd, you need an MQTT broker, like Mosquitto. Depending on your setup, you can run it on the same host that runs vallumd, but that’s no requirement. The next thing you need is an IPset. To give you full control over the type of IPset and its options, vallumd will not create the IPset itself. You can choose between these IPset types:

  • bitmap:ip
  • bitmap:net
  • hash:ip
  • hash:net

IPset creation example: ipset create blacklist hash:ip timeout 3600
Starting vallumd: vallumd -h 192.168.0.1 -t blacklist

This will listen for messages on the MQTT broker at 192.168.0.1, in the blacklist topic, and when a message is received, the IP address in the message will be added to or remove from the IPset named blacklist. So now we have everything in place to start adding IPs to the blacklist. All we have to do is configure our IDS, IPS or Honeypot to send malicious IP addresses to our MQTT broker.  For fail2ban, this could be done with the Mosquitto client mosquitto_pub. Create a new action in /etc/fail2ban/action.d/vallumd.conf:

[Definition]

actionban = mosquitto_pub -h 192.168.0.1 -q 2 -t blacklist/add -m <ip>actionunban = mosquitto_pub -h 192.168.0.1 -q 2 -t blacklist/del -m <ip>

And configure your fail2ban jails to use the vallumd action.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

How To Create A Virtual Penetration Testing Lab At Home

In this article, I will demonstrate how to create your own virtual penetration testing lab at home. Creating a pentesting lab is must for...

The Importance of Cyber Security in The Medical Device Industry

Medical devices are a revolutionary aspect of healthcare - they connect doctors and patients, help diagnose and treat diseases. Some - like ECMO machines...

Top 5 Techniques Hackers Use to hack Social Media Accounts

These days, Social Media have become a significant need in our everyday life. It encourages us to associate and connect with anyone over the...

5 Top Programming Languages for Hacking

We live in the 21st century, which is very fast-changing. This is a century of competition for information and computing resources. Every year the...