Real-time distributed firewall
Be part of a worldwide distributed defense system for FREE
Imagine, that someone is going from town to town and from home to home and takes accurate info about every door lock, and then this person is publishing all info on the Internet. This situation is horrible in real life, but in server administration world it is a common thing, and almost no one thinks about a defence against this kind of activity.
Port scans are indeed a common thing, we block about 1500 IPs that are scanning our honeypots in an hour. And almost any hacker attack starts from port scan to determine all services that are open to an intruder.
Therefore, the main goal of DisWall is to protect servers from this type of hostile activity. And we think that we’ve done a great job.
DisWall is an extension for your firewall. It supports
iptables. For the latter it needs
ipset to be installed too. The main functionality is monitoring of attempts to scan inactive ports on your server and ban such IPs.
But if you use it in distributed mode, then you always have afresh list of active scanning IPs from our honeypots.
We have a bunch of honeypots that are constantly banning such IPs and a server to maintain a database. Now the banning intervals are variable - we ban for 15 minutes the first time, then 30 minutes, then an hour * scan attempts. There are IPs that are banned for several months already.
Essentially, there are three parts of working DisWall:
- Correctly configured firewall (
- Logging facility (done by additional config of
- DisWall service that is reading IPs from a logging pipe
iptables is a generic firewalling software that allows you to define rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).
But to work with big lists of IPs you need to install
ipset - an extension to iptables, that adds an ability to work with lists of networks or IPs.
So, iptables can check any packet against a big list and do something if some IP belongs to the list or not.
nftables is the successor of
iptables, it allows for much more flexible, scalable and performant packet classification. This is where all the fancy new features are developed.
If you've installed a fresh and contemporary Linux distribution, then you probably have
And if you have
nftables you don't need
Your firewall - iptables or nftables is configured to allow local and established connections as well as connections from explicitly defined IPs and/or networks.
In case of iptables it is done in
/usr/bin/diswall_init.sh and this script is run by a service
but in case of
nftables it is done in
/etc/nftables.conf and is run by
nftables service itself.
In simple terms, there are two lists/sets to allow connections (
diswall-wl) and to block connections (
If some packet is not explicitly allowed then it is logged, and rsyslog takes only source IP from that logged packet
and writes it to a pipe (
/var/log/diswall/diswall/pipe), and then DisWall reads it and blocks it by adding it to ipset list or nftables set.
Rsyslog is configured by a config file
/etc/rsyslog.d/10-diswall.conf, it is added to your system during installation.
DisWall itself would be a very simplistic app and would not get to its goal — to ban most of the port-scanning bots out there if it would not have network layer. Every DisWall can connect to our NATS-server to be able to get new banned IPs from our special honeypots.
Just register at the page start, confirm your e-mail, enter credentials to /etc/diswall/diswall.conf file and restart the service. Your local diswall will be getting new IPs to block on a constant basis. If some our honeypot blocks an IP it will get to you in a matter of milliseconds.
First of all you will need some dependencies to be installed.
- Install iptables and ipset (sudo apt install iptables ipset) or install nftables. And if you have some other firewall (ufw or firewalld) uninstall it.
- If you want to use quick-install script from our site — make sure you have jq installed (sudo apt install jq).
You can use one of two options for quick installation of DisWall:
curl https://get.diswall.stream | bash— if you have curl installed
wget -O - https://get.diswall.stream | bash— if you have wget installed
If you want to do it manually, go to releases on GitHub and download binary yourself.
- If you want to use full-fledged DisWall then you need to register on diswall.stream, confirm e-mail and copy credentials from our mail to /etc/diswall/diswall.conf.
- This step maybe is most important. Open /usr/bin/diswall_init.sh with your preferred text editor and check all autogenerated rules for iptables that are in this file. You can add some other rules to allow all connections from your home or office IPs no matter what to be sure that if something goes wrong you can connect to your server via SSH and correct things.
Only after these steps you can enable and start diswall service (
sudo systemctl enable --now diswall).
but here they are:
|Print this help menu
|Print version and exit
|Install DisWall as system service (in client mode)
|Update DisWall to latest release from GitHub
|Uninstall DisWall from your server
|Show trace messages, more than debug
|Generate new configuration file. It is better to redirect contents to file.
|Set configuration file path
|Set log file path
|Named pipe from which to fetch IPs
|DOMAIN NATS server name
|NATS server port
|NATS client name (login)
|Don't connect to NATS server, work only locally
|Allow list name
|Block list name
|Add this IP to allow list
|Comment to add with IP to allow list
|Remove IP from allow list
|Add this IP to block list
|Remove IP from block list
|Kill already established connection using `ss -K`
|Start diswall NATS server to handle init messages.
- Open-source. You can build your service without us
- We do not collect any sophisticated telemetry, just bad IPs and blocked/accepted traffic counts
- We do nothing on your server just add bad IPs to block-list