How to use ipset command on linux to block bulk IPs

ipset is a companion application for the iptables Linux firewall. It allows you to setup rules to quickly and easily block a set of IP addresses, among other things.

Installation

Debian based system

# apt install ipset

Redhat based system

# yum install ipset

Blocking a list of network

Start by creating a new “set” of network addresses. This creates a new “hash” set of “net” network addresses named “myset”.

or

Add any IP address that you’d like to block to the set.

Finally, configure iptables to block any address in that set. This command will add a rule to the top of the “INPUT” chain to “-m” match the set named “myset” from ipset (–match-set) when it’s a “src” packet and “DROP”, or block, it.

Blocking a list of IP addresses

Start by creating a new “set” of ip addresses. This creates a new “hash” set of “ip” addresses named “myset-ip”.

or

Add any IP address that you’d like to block to the set.

Finally, configure iptables to block any address in that set.

Making ipset persistent

The ipset you have created is stored in memory and will be gone after reboot. To make the ipset persistent you have to do the followings:

First save the ipset to /etc/ipset.conf:

Then enable ipset.service, which works similarly to iptables.service for restoring iptables rules.

Other Commands

To view the sets:

or

To delete a set named “myset”:

or

To delete all sets:

How to configure IPsec/L2TP VPN Clients on Linux

After setting up your own VPN server, follow these steps to configure your devices. In case you are unable to connect, first, check to make sure the VPN credentials were entered correctly.

Commands must be run as root on your VPN client.

To set up the VPN client, first install the following packages:

Create VPN variables (replace with actual values):

Configure strongSwan:

Configure xl2tpd:

The VPN client setup is now complete. Follow the steps below to connect.

Note: You must repeat all steps below every time you try to connect to the VPN.

Create xl2tpd control file:

Restart services:

Start the IPsec connection:

Start the L2TP connection:

Run ifconfig and check the output. You should now see a new interface ppp0.

Check your existing default route:

Find this line in the output: default via X.X.X.X .... Write down this gateway IP for use in the two commands below.

Exclude your VPN server’s IP from the new default route (replace with actual value):

If your VPN client is a remote server, you must also exclude your Local PC’s public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value):

Add a new default route to start routing traffic via the VPN server:

The VPN connection is now complete. Verify that your traffic is being routed properly:

The above command should return Your VPN Server IP.

To stop routing traffic via the VPN server:

To disconnect:

Fusebill AJAX Transparent Redirect

To facilitate PCI compliant credit card collections Fusebill provides a AJAX Transparent Redirect endpoint which you can use to securely capture customer’s credit cards. If you are adding the first payment method on a customer, it will be set to the default payment method automatically.

This API action is authenticated with a separate Public API Key. If you do not have that key, please contact Fusebill Support. The Public Key can only be used to authenticate the Transparent Redirect action.

Ajax Transparent Redirect

Google reCAPTCHA required.

Fusebill leverages reCAPTCHA technology to ensure payment method data captured is provided by a human and to protect against bots and scripting.

We use Google reCAPTCHA V2 in order to accomplish this.
https://developers.google.com/recaptcha/intro
The basic workflow for how this is accomplished is as follows:

  • Using Fusebill’s public site key, the client is presented with a captcha widget.
  • The user then verifies that they are human, starting with a check box. The user may be presented with additional verification steps such as an image recognition task.
  • The captcha widget then verifies with Google that the user is human, and returns a response token.
  • That response token is then sent to Fusebill with the payment method data for our system to validate and verify.
Fusebill Environment
reCAPTCHA Public Site Key

Staging (stg-payments.subscriptionplatform.com)

6LcI_GwUAAAAAJZu0VvB68DdxNxb5ZcBIwAX7RVj

Sandbox and Production (payments.subscriptionplatform.com)

6LfVtGwUAAAAALHn9Ycaig9801f6lrPmouzuKF11

Create Credit Card Payment Method

Field Name
Details
Required
Type

CustomerID

This is the Fusebill customer ID of the customer you wish to add the card to

Yes

Number

PublicAPIKey

This is your public API key.
This is found in fusebill account under Settings > Integrations > Transparent Redirect.

Yes

String

CardNumber

This is the credit card number.

Yes

Number

FirstName

 

The first name of the cardholder.

Yes

String

LastName

The last name of the card holder.

Yes

String

ExpirationMonth

Expiration month on the credit card.

Yes

Number

ExpirationYear

Expiration on the credit card.

Yes

Number

CVV

The credit card verification number.

Yes

Number

recaptcha

Recaptcha token response.

Yes

String

riskToken

WePay Risk token

No+

String

clientIp

Client/Customer IP address

No+

String

email

Customer Email address

No+

String

address1

First line of payment method address.

No*

String

address2

Second line of payment method address.

No*

String

city

City of the payment method

No*

String

stateId

State ID of the Payment method.
These can be found by performing a GET to v1/countries

No*

Number

countryId

Country ID of the payment method.
These can be found by performing a GET to v1/countries

No*

Number

postalZip

PostalZip of the payment method

No*

String

paymentCollectOptions

Object that allows specifying an amount to collect when creating the card.

Only works through Json
{
"collectionAmount": 1.0
}

No

Object

+ Denotes a field required for Fusebill Payments API Risk Fields
* Denotes fields required for AVS and may be required by your account’s Gateway. These fields are also required if using Fusebill Payments accounts as AVS is mandatory.

Notes:- Address information can optionally be captured as well.

Sample Code


Sample Response

Fusebill Payments

When using Fusebill Payments as your gateway processing account, some additional processing and data is required.

These are the ClientIP and a Risk token.

Additional information is available here.

Fusebill Test Gateways

Available here.

How to modify permissions(booleans) of SELinux for deamons(programs)

SELinux offers more enhanced security for linux. It is always recommended not to disable SELinux for servers which are more delicate, instead you can control the permissions for the deamons, programms or users using SELinux.

SELinux maintains the status of permissions for all deamons with attributes called booleans.

Get SELinux booleans

The above command will give you lot of variables with status either on or off. If you want to fetch for particular process or context use grep 

To get all booleans regarding httpd(apache web server)

 

Set SELinux Booleans

To set selinux booleans we use the command setsebool

Here is how you can change

For suppose if you want to allow httpd to allow sending mail

If you want to enable ftp server on httpd,

To enable apache to connect with external database

Like wise you can change the required booleans status. To query the modified status ues getsebool with grep.

 

How to enable or disable SELinux and check status on centOS

The SELinux stands for Security-Enhanced Linux where it is a linux kernel security module. It is enabled by default on most of the linux distribution that we use for servers like centOS. It provides  enhanced security measurements. It gives you fine control over all programs and daemons  on their activities like communicating with out side programs  or controlling whether to establish a outside connections for a particular program.

It is always recommended to have SELinux enabled on a server to avoid common security glitches.

To query the current status of SELinux  use the following commands

The above command will report the current status  of SELinux. Whether SELinux is enforcing, permissive, or disabled. If it is already disabled.

Disabling SELinux

Open the file  /etc/selinux/config  and change the option SELINUX to disabled

if you open file you would see something like

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted – Targeted processes are protected,
# mls – Multi Level Security protection.
SELINUXTYPE=targeted

If SELinux is enabled you would see enforcing replace it with disabled.

You should restart the machine to take effect If you change SELINUX status from Enabled to Disabled or vice versa.

Enabling SELInux

To enable SELinux follow the below instructions,

  1. Open the file /etc/selinux/config  
  2. Change option SELINUX from disabled to enforcing
  3. Restart the machine

Change mode

To change the mode of SELinux which is running

Check Status

SELinux is the linux  kernel module for enhanced security. SELinux stands for Security-Enhanced Linux. If SELinux is installed on your machine or server you can check the current status  by using following commands

The above command will give you one of the following as an output

You use the below command which will give simple overview

If enabled you will output something like

 

You can also check the configuration which is located at /etc/selinux/config.

In above config file  the option SELINUX  describes the status of SELinux. But it’s not precise to determine the status from the configuration file, it’s better to determine the status by using commands mentioned above.

 

 

Note: You need administrator privileges to either enable or disable SELinux

How to check certificate information of web server using openssl

In this article we will see how to check certificate information of webserver using command line tool openssl

The below command will get you the valid period of the ssl certificate.

To check the certificate information of web server, use the following command. Here I’m using google.com in this example

Export certificate into a file

If you want to extract the public key from the certificate, here is how you can do

 

References:
[1] Certificates and Encodings