How to block specific IP
addresses on AIX
Do you need to block a specific IP address (or host) from accessing your AIX system? One heavy-handed approach is to use AIX IP security (ipsec) to filter specific IP addresses. This will allow you to completely block/deny these IP addresses from accessing your AIX host over the network.
Here’s an example. I want to deny IP address 8.218.1.243 from accessing my AIX system (for inbound connections).
The first step is to enable IP security on the AIX. This example is for ipsec_v4.
# smit ipsec4
-->
Start/Stop IP Security
-->
Start IP Security
Start IP Security [Now and After Reboot] +
Deny All Non_Secure IP Packets [no]
ipsec_v4
Available
Default
rule for IPv4 in ODM has been changed.
Successfully
set default action to PERMIT
#
lsdev -C | grep ip
ipsec_v4 Available IP Version 4 Security Extension
ipsec_v6 Available IP Version 6 Security Extension
Note, I left the "Deny All Non_Secure IP Packets" set to No, as I would prefer to allow everything by default and only block/deny IP addresses by exception. Now that ipsec is enabled, I can create a new IP filter rule to block the IP address, 8.218.1.243, from accessing my host. This rule prevents 8.218.1.243 from accessing any protocol/service, on all interfaces, on my AIX host. They are now blocked from opening any network connections to my AIX host. The rule is created using the genfilt tool and then activated with the mkfilt utility.
# genfilt
-v 4 -a D -s 8.218.1.243 -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -g N -c all
-r B -w I -l Y -f Y -i all
# mkfilt
-v 4 -u
Using the lsfilt command I can confirm that my new rule has been added to the IP filter rules on my AIX host.
#
lsfilt | grep -p 8.218.1.243
Rule
3:
Rule
action : deny
Source
Address : 8.218.1.243
Source
Mask : 255.255.255.255
Destination
Address : 0.0.0.0
Destination
Mask : 0.0.0.0
Source
Routing : no
Protocol : all
Source
Port : any 0
Destination
Port : any 0
Scope : both
Direction : inbound
Logging
control : yes
Fragment
control : all packets
Tunnel
ID number : 0
Interface : all
Auto-Generated : no
Expiration
Time : 0
Description :
If I decide I would like to remove this rule, I can use the rmfilt command, as shown below. I first need to find the rule number associated with the IP filter (in this case it’s rule number 3). Then I run the rmfilt command to remove the rule and then activate the new rule set, with mkfilt.
#
lsfilt | grep -p 8.218.1.243
Rule
3:
Rule
action : deny
Source
Address : 8.218.1.243
Source
Mask : 255.255.255.255
Destination
Address : 0.0.0.0
Destination
Mask : 0.0.0.0
Source
Routing : no
Protocol : all
Source
Port : any 0
Destination
Port : any 0
Scope : both
Direction : inbound
Logging
control : yes
Fragment
control : all packets
Tunnel
ID number : 0
Interface : all
Auto-Generated : no
Expiration
Time : 0
Description :
# rmfilt -v 4 -n '3'
Filter
rule 3 for IPv4 has been removed successfully.
# mkfilt -v 4 -u
#
lsfilt | grep -p 8.218.1.243
#
I found myself in need of this type of solution when working with an AIX system that was directly connected to the Internet. Various services were open and available on the AIX host’s public interface. As a result, this host was subject to constant port probing by external IP addresses on the Internet. One service was being probed more than others. That service was, of course, SSH. SSH is a common service subjected to brute-force credentials attacks. On a regular basis I would find failed SSH login attempts in the syslog file (as shown below).
Nov
25 23:38:09 myaixhost auth|security:info sshd[65539]: Failed password for root
from 8.218.1.243 port 44968 ssh2
Nov
25 23:38:09 myaixhost auth|security:info syslog: ssh: failed login attempt for
root from 8.218.1.243
Nov
25 23:38:10 myaixhost auth|security:info sshd[65541]: Failed password for root
from 8.218.1.243 port 45262 ssh2
Nov
25 23:38:10 myaixhost auth|security:info syslog: ssh: failed login attempt for
root from 8.218.1.243
I knew that I could prevent this kind of “brute force” attack from reoccurring by manually adding an IP filter rule to block the offending address. But I also wanted to automate this process. I wanted a way to detect this kind of attack and then automatically add new IP filter rules.
I wrote a script to scan my syslog file and look for any failed SSH login attempts from unknown external IP addresses and then automatically add IP filter rules for the offending IP address(es). Here’s an example of the output from the script:
# block_ip.ksh
IP
address 168.167.134.1 already blocked by IP filter
Adding
193.3.19.87 to IP filter blocked list
Filter
rule 27 for IPv4 has been added successfully.
>
Source Address : 193.3.19.87
Statistics
of IP Security packets:
IPSec Devices:
ipsec_v4 Available
ipsec_v6 Available
Authentication
Algorithm:
CMAC_AES_XCBC -- Cipher-based MAC using
AES-XCBC Authentication Module
HMAC_MD5 -- Hashed MAC MD5 Authentication
Module
HMAC_SHA -- Hashed MAC SHA Hash Authentication
Module
KEYED_MD5 -- Keyed MD5 Hash Authentication
Module
Encryption
Algorithm:
3DES_CBC -- Triple DES CBC Encryption Module
AES_CBC_128 -- AES CBC 128 bit key
Encryption Module
AES_CBC_192 -- AES CBC 192 bit key
Encryption Module
AES_CBC_256 -- AES CBC 256 bit key
Encryption Module
DES_CBC_4 -- DES CBC 4 Encryption Module
DES_CBC_8 -- DES CBC 8 Encryption Module
NULL -- Null
Encryption Algorithm module
IPSec Statistics -
Total
incoming packets: 820167
Incoming AH packets: 0
Incoming ESP packets: 0
Srcrte packets
allowed: 0
Total
outgoing packets: 1289450
Outgoing AH packets: 0
Outgoing ESP packets: 0
Total
incoming packets dropped: 2978
Filter denies on input: 2978
AH did not compute: 0
ESP did not compute: 0
AH replay violation: 0
ESP replay violation: 0
Total
outgoing packets dropped: 0
Filter denies on output: 0
Tunnel
cache entries added: 0
Tunnel
cache entries expired: 0
Tunnel
cache entries deleted: 0
In the example above, we found an IP address (that was not already blocked), that was attempting to login via SSH unsuccessfully and then adding the IP address to the rule set. If we find a relevant event in syslog, before we add a new rule, we first check if the IP address is already blocked, and if it is not, we go ahead and add a new rule. Below is the script header with a bit more of a description of what it does.
#!/usr/bin/ksh
#
#
#
Script to block IP addresses that have reported failed login attempts (in
/var/log/syslog) via SSH.
# Be
very careful with this script. It DOES NOT DISCRIMINATE! If you fail to login,
via SSH, with your
#
username/password and it fails, because you entered the wrong password (for
example), it will block you IP address
# then next time the script is run (assuming, of course, that
the failed login attempt is still recorded in /var/log/syslog).
#
#
This script now runs once per hour from cron on the AIX host.
Note, to configure ipsec firewall on AIX, the following filesets must be installed on the AIX host.
bos.msg.en_US.net.ipsec
7.3.0.0 COMMITTED IP Security Messages - U.S.
bos.net.ipsec.keymgt
7.3.0.1 COMMITTED IP Security Key Management
bos.net.ipsec.rte
7.3.0.0 COMMITTED IP Security
Please refer to the following links for more information
about AIX firewall and IP security filtering configuration. I highly recommend
reading about “mkfilt -d” to recover from misconfiguration issues and “mkfilt
-g start” to start the ipsec_logd daemon to “view which packets are
being dropped”.
Setting up a firewall with AIX TCP/IP filtering
https://developer.ibm.com/articles/au-aixfiltering/
Accessing filter rules from SMIT
https://www.ibm.com/docs/en/aix/7.3?topic=prevention-accessing-filter-rules-from-smit
AIX Intrusion prevention
https://www.ibm.com/docs/en/aix/7.3?topic=network-aix-intrusion-prevention
Blocking an IP address
https://www.toolbox.com/tech/operating-systems/question/blocking-an-ip-address-100306/