Real-time distributed firewall
Be part of a worldwide distributed defense system for FREE
SMTP: 50405
Nginx: 9998
Imagine, that someone is going from town to town and from home to home and takes accurate info about every door lock, and then this person is publishing all info on the Internet. This situation is horrible in real life, but in server administration world it is a common thing, and almost no one thinks about a defence against this kind of activity.
Port scans are indeed a common thing, we block about 1500 IPs that are scanning our honeypots in an hour. And almost any hacker attack starts from port scan to determine all services that are open to an intruder.
Therefore, the main goal of DisWall is to protect servers from this type of hostile activity. And we think that we’ve done a great job.
DisWall is an extension for your firewall. It supports nftables
and iptables
. For the latter it needs ipset
to be installed too. The main functionality is monitoring of attempts to scan inactive ports on your server and ban such IPs. Also, it monitors SSH brute-force attempts and Postfix SASL auth errors (also brute-force).
But if you use it in distributed mode, then you always have afresh list of active scanning IPs from our honeypots.
We have dozens of honeypots that are constantly banning such IPs and a server to maintain a database. Now the banning intervals are variable - we ban for 15 minutes the first time, then 30 minutes, then an hour * scan attempts. There are IPs that are banned for several months already.
Essentially, there are three parts of working DisWall:
- Correctly configured firewall (
nftables
oriptables
) - Logging facility (done by
journald
) - DisWall service that is reading IPs from journald and adds them to blocklist
iptables
is a generic (and old) firewalling software that allows you to define rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).But to work with big lists of IPs you need to install
ipset
- an extension to iptables, that adds an ability to work with lists of networks or IPs.So, iptables can check any packet against a big list and do something if some IP belongs to the list or not.
nftables
is the successor of iptables
, it allows for much more flexible, scalable and performant packet classification. This is where all the fancy new features are developed.If you've installed a fresh and contemporary Linux distribution, then you probably have
nftables
installed.And if you have
nftables
you don't need iptables
&ipset
.Your firewall - iptables or nftables is configured to allow local and established connections as well as connections from explicitly defined IPs and/or networks.
In case of iptables it is done in /usr/bin/diswall_init.sh
and this script is run by a service diswall-ipt-init
,
but in case of nftables
it is done in /etc/nftables.conf
and is run by nftables
service itself.
In simple terms, there are two lists/sets to allow connections (diswall-wl
) and to block connections (diswall-bl
).
If some packet is not explicitly allowed then it is logged, and then DisWall reads it and blocks it by adding it to ipset list or nftables set.
DisWall itself would be a very simplistic app and would not get to its goal — to ban most of the port-scanning bots out there if it would not have network layer. Every DisWall can connect to our NATS-server to be able to get new banned IPs from our special honeypots.
Just register at the page start, confirm your e-mail, enter credentials to /etc/diswall/diswall.conf file and restart the service. Your local diswall will be getting new IPs to block on a constant basis. If some our honeypot blocks an IP it will get to you in a matter of milliseconds.
First of all you will need some dependencies to be installed.
- Install nftables or check if it already exists. Alternatively, you can install iptables and ipset (sudo apt install iptables ipset). And if you have some other firewall (like ufw or firewalld) uninstall it.
- If you want to use quick-install script from our site — make sure you have jq installed (sudo apt install jq).
You can use one of two options for quick installation of DisWall (downloads binary from GitHub):
curl -s https://get.diswall.stream | bash
— if you have curl installedwget -q -O - https://get.diswall.stream | bash
— if you have wget installed
If you want to do it manually, go to releases on GitHub and download binary yourself.
- If you want to use full-fledged DisWall then you need to register on diswall.stream, confirm e-mail and copy credentials from our mail to /etc/diswall/diswall.conf.
- If you don’t want to register you can test it with default credentials, but you will not get most recent attacker’s IPs.
- This step maybe is most important if you already have some firewall configuration. Run diswall -e it will open autogenerated rules for nftables/iptables with your preferred text editor. Check that config. You can add some other rules to allow all connections from your home or office IPs no matter what to be sure that if something goes wrong you can connect to your server via SSH and correct things.
Ideally, only after these steps you should enable and start diswall service (sudo systemctl enable --now diswall
).
but here they are:
-h, | --help | Print this help menu |
-v, | --version | Print version and exit |
--install | Install DisWall as system service (in client mode) | |
--update | Update DisWall to latest release from GitHub | |
--uninstall | Uninstall DisWall from your server | |
-e | --edit | Edit firewall config |
-i | --interface | Run text interface to see what's going on |
-d, | --debug | Show trace messages, more than debug |
-g, | --generate | Generate new configuration file. It is better to redirect contents to file. |
-c, | --config FILE | Set configuration file path |
--log FILE | Set log file path | |
-f, | --pipe-file FILE | Named pipe from which to fetch IPs |
-s, | --nats-server | DOMAIN NATS server name |
-P, | --port PORT | NATS server port |
-n, | --name NAME | NATS client name (login) |
-p, | --pass PASSWORD | NATS password |
-l, | --local-only | Don't connect to NATS server, work only locally |
-a, | --allow-list | Allow list name |
-b, | --block-list | Block list name |
--wl-add-ip IP | Add this IP to allow list | |
--wl-add-comm COMMENT | Comment to add with IP to allow list | |
--wl-del-ip IP | Remove IP from allow list | |
--bl-add-ip IP | Add this IP to block list | |
--bl-del-ip IP | Remove IP from block list | |
-k | --kill | Kill already established connection using `ss -K` |
--server | Start diswall NATS server to handle init messages. |
- Open-source. You can build your service without us
- We do not collect any sophisticated telemetry, just bad IPs and blocked/accepted traffic counts
- We do nothing on your server just add bad IPs to block-list
- Read full privacy policy.