Real-time distributed firewall

Be part of a worldwide distributed defense system for FREE

Get started
57185
Blocked IPs right now
WP: 41802
SMTP: 49867
4601K
Blocked IPs for all time (unique)
SSH: 194919
Nginx: 9383

World's first real-time anti-scan/bot system
Hide your server from Shodan, ZoomEye, Censys etc
Reduce parasite traffic by 90% — accelerate your site
The analytics doesn't contain any garbage traffic
Motivation

Imagine, that someone is going from town to town and from home to home and takes accurate info about every door lock, and then this person is publishing all info on the Internet. This situation is horrible in real life, but in server administration world it is a common thing, and almost no one thinks about a defence against this kind of activity.

Port scans are indeed a common thing, we block about 1500 IPs that are scanning our honeypots in an hour. And almost any hacker attack starts from port scan to determine all services that are open to an intruder.

Therefore, the main goal of DisWall is to protect servers from this type of hostile activity. And we think that we’ve done a great job.

163k
Average blocked in month
7,5%
Constantly scanning IPs
217
Countries
How it works

DisWall is an extension for your firewall. It supports nftables and iptables. For the latter it needs ipset to be installed too. The main functionality is monitoring of attempts to scan inactive ports on your server and ban such IPs. Also, it monitors SSH brute-force attempts and Postfix SASL auth errors (also brute-force).

But if you use it in distributed mode, then you always have afresh list of active scanning IPs from our honeypots.

We have dozens of honeypots that are constantly banning such IPs and a server to maintain a database. Now the banning intervals are variable - we ban for 15 minutes the first time, then 30 minutes, then an hour * scan attempts. There are IPs that are banned for several months already.

Essentially, there are three parts of working DisWall:

  • Correctly configured firewall (nftables or iptables)
  • Logging facility (done by journald)
  • DisWall service that is reading IPs from journald and adds them to blocklist
What is iptables?
iptables is a generic (and old) firewalling software that allows you to define rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).

But to work with big lists of IPs you need to install ipset - an extension to iptables, that adds an ability to work with lists of networks or IPs.

So, iptables can check any packet against a big list and do something if some IP belongs to the list or not.
What is nftables?
nftables is the successor of iptables, it allows for much more flexible, scalable and performant packet classification. This is where all the fancy new features are developed.

If you've installed a fresh and contemporary Linux distribution, then you probably have nftables installed.

And if you have nftables you don't need iptables&ipset.
Firewall configuration explained

Your firewall - iptables or nftables is configured to allow local and established connections as well as connections from explicitly defined IPs and/or networks.
In case of iptables it is done in /usr/bin/diswall_init.sh and this script is run by a service diswall-ipt-init,
but in case of nftables it is done in /etc/nftables.conf and is run by nftables service itself.

In simple terms, there are two lists/sets to allow connections (diswall-wl) and to block connections (diswall-bl).

If some packet is not explicitly allowed then it is logged, and then DisWall reads it and blocks it by adding it to ipset list or nftables set.

Distributed part

DisWall itself would be a very simplistic app and would not get to its goal — to ban most of the port-scanning bots out there if it would not have network layer. Every DisWall can connect to our NATS-server to be able to get new banned IPs from our special honeypots.

Just register at the page start, confirm your e-mail, enter credentials to /etc/diswall/diswall.conf file and restart the service. Your local diswall will be getting new IPs to block on a constant basis. If some our honeypot blocks an IP it will get to you in a matter of milliseconds.

Getting started
Dependencies

First of all you will need some dependencies to be installed.

  1. Install nftables or check if it already exists. Alternatively, you can install iptables and ipset (sudo apt install iptables ipset). And if you have some other firewall (like ufw or firewalld) uninstall it.
  2. If you want to use quick-install script from our site — make sure you have jq installed (sudo apt install jq).
Installation

You can use one of two options for quick installation of DisWall (downloads binary from GitHub):

  • curl -s https://get.diswall.stream | bash — if you have curl installed
  • wget -q -O - https://get.diswall.stream | bash — if you have wget installed

If you want to do it manually, go to releases on GitHub and download binary yourself.

Configuration
  1. If you want to use full-fledged DisWall then you need to register on diswall.stream, confirm e-mail and copy credentials from our mail to /etc/diswall/diswall.conf.
  2. If you don’t want to register you can test it with default credentials, but you will not get most recent attacker’s IPs.
  3. This step maybe is most important if you already have some firewall configuration. Run diswall -e it will open autogenerated rules for nftables/iptables with your preferred text editor. Check that config. You can add some other rules to allow all connections from your home or office IPs no matter what to be sure that if something goes wrong you can connect to your server via SSH and correct things.

Ideally, only after these steps you should enable and start diswall service (sudo systemctl enable --now diswall).

Options and features
Config options

You can change default ipset lists names from diswall-bl and diswall-wl to anything you want. Just don’t forget to change them in /etc/nftables.conf or /usr/bin/diswall_init.sh too.

You can disable online functionality by changing local_only to false. But it is not recommended as the main purpose of DisWall is to provide distributed operation.

NATS configuration, and in particular client_name and client_pass should be familiar to you already — these you fill up when you register on DisWall website and install it on your server.

You can also change hostname of your server in communication with NATS-server. It doesn’t need to be the same as your true hostname.

If you don’t want to send statistics about how many IPs did you block and how many packets/bytes was dropped or accepted by your server, then you can disable sending stats to our server by changing send_statistics to false.

Commandline options
All commandline parameters you can see if you run diswall -h,
but here they are:
-h, --help Print this help menu
-v, --version Print version and exit
--install Install DisWall as system service (in client mode)
--update Update DisWall to latest release from GitHub
--uninstall Uninstall DisWall from your server
-e --edit Edit firewall config
-i --interface Run text interface to see what's going on
-d, --debug Show trace messages, more than debug
-g, --generate Generate new configuration file. It is better to redirect contents to file.
-c, --config FILE Set configuration file path
--log FILE Set log file path
-f, --pipe-file FILE Named pipe from which to fetch IPs
-s, --nats-server DOMAIN NATS server name
-P, --port PORT NATS server port
-n, --name NAME NATS client name (login)
-p, --pass PASSWORD NATS password
-l, --local-only Don't connect to NATS server, work only locally
-a, --allow-list Allow list name
-b, --block-list Block list name
--wl-add-ip IP Add this IP to allow list
--wl-add-comm COMMENT Comment to add with IP to allow list
--wl-del-ip IP Remove IP from allow list
--bl-add-ip IP Add this IP to block list
--bl-del-ip IP Remove IP from block list
-k --kill Kill already established connection using `ss -K`
--server Start diswall NATS server to handle init messages.
Privacy
  • Open-source. You can build your service without us
  • We do not collect any sophisticated telemetry, just bad IPs and blocked/accepted traffic counts
  • We do nothing on your server just add bad IPs to block-list
  • Read full privacy policy.
Plans
Free
Forever FREE Anti scan subscription if you share your bad IPs with us
Get started
Enterprise
Anti scan subscription for enterprise
Ask us
Blocking stats
Number of blocked IPs for the last hour
FAQ
What if our command server is down?
Your own servers will exchange IP info between themselves.
What if our NATS server is down?
Nothing bad happens. Your servers will continue ban IPs that are scanning them.
What if my IP will get banned for some reason? By mistake.
Hopefully, if your server will not try to connect to blocked ports of other servers with DisWall, this ban will wear off after 15 minutes. If in doubt just add your IPs to allow list of your other servers. If your IP is blocked by mistake you can reach us by sending e-mail to the mail address that you've obtained your password from when you've registered on our website.
What if something is going on very bad?
If your server is blocking some legitimate IP or something is going wrong you can disable DisWall by service diswall stop and flushing iptables by iptables -F INPUT.
How can I find what a problem is and try to fix it?
Check if some IP is in ipset list: ipset save diswall-bl | grep 1.2.3.4, if it is there you can just remove id from the list: ipset del diswall-bl 1.2.3.4. DisWall prints logs to syslog, therefore you can search IP there: grep 1.2.3.4 /var/log/syslog. If you need more info about diswall working process you can add -d flag in service file and restart diswall service.
Can I check if my server is really invisible to Shodan?
Yes, you can just search your IP in Shodan: https://www.shodan.io/host/1.2.3.4.
How can I add my IPs to allow-list?
You can do this in two ways: Just add it to ipset: ipset add diswall-wl 1.2.3.4, but it will lost after restart. Or you can add it to the list on NATS server by diswall wl-add-ip 1.2.3.4, it will be downloaded from NATS server on your server load