How to block specific IP addresses on AIX

Do you need to block a specific IP address (or host) from accessing your AIX system? One heavy-handed approach is to use AIX IP security (ipsec) to filter specific IP addresses. This will allow you to completely block/deny these IP addresses from accessing your AIX host over the network.

Here’s an example. I want to deny IP address 8.218.1.243 from accessing my AIX system (for inbound connections).

The first step is to enable IP security on the AIX. This example is for ipsec_v4.

# smit ipsec4

--> Start/Stop IP Security

--> Start IP Security

Start IP Security [Now and After Reboot] +

Deny All Non_Secure IP Packets [no]

ipsec_v4 Available

Default rule for IPv4 in ODM has been changed.

Successfully set default action to PERMIT

# lsdev -C | grep ip

ipsec_v4 Available IP Version 4 Security Extension

ipsec_v6 Available IP Version 6 Security Extension

Note, I left the "Deny All Non_Secure IP Packets" set to No, as I would prefer to allow everything by default and only block/deny IP addresses by exception. Now that ipsec is enabled, I can create a new IP filter rule to block the IP address, 8.218.1.243, from accessing my host. This rule prevents 8.218.1.243 from accessing any protocol/service, on all interfaces, on my AIX host. They are now blocked from opening any network connections to my AIX host. The rule is created using the genfilt tool and then activated with the mkfilt utility.

# genfilt -v 4 -a D -s 8.218.1.243 -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -g N -c all -r B -w I -l Y -f Y -i all

# mkfilt -v 4 -u

Using the lsfilt command I can confirm that my new rule has been added to the IP filter rules on my AIX host.

# lsfilt | grep -p 8.218.1.243

Rule 3:

Rule action : deny

Source Address : 8.218.1.243

Source Mask : 255.255.255.255

Destination Address : 0.0.0.0

Destination Mask : 0.0.0.0

Source Routing : no

Protocol : all

Source Port : any 0

Destination Port : any 0

Scope : both

Direction : inbound

Logging control : yes

Fragment control : all packets

Tunnel ID number : 0

Interface : all

Auto-Generated : no

Expiration Time : 0

Description :

If I decide I would like to remove this rule, I can use the rmfilt command, as shown below. I first need to find the rule number associated with the IP filter (in this case it’s rule number 3). Then I run the rmfilt command to remove the rule and then activate the new rule set, with mkfilt.

# lsfilt | grep -p 8.218.1.243

Rule 3:

Rule action : deny

Source Address : 8.218.1.243

Source Mask : 255.255.255.255

Destination Address : 0.0.0.0

Destination Mask : 0.0.0.0

Source Routing : no

Protocol : all

Source Port : any 0

Destination Port : any 0

Scope : both

Direction : inbound

Logging control : yes

Fragment control : all packets

Tunnel ID number : 0

Interface : all

Auto-Generated : no

Expiration Time : 0

Description :

# rmfilt -v 4 -n '3'

Filter rule 3 for IPv4 has been removed successfully.

# mkfilt -v 4 -u

# lsfilt | grep -p 8.218.1.243

I found myself in need of this type of solution when working with an AIX system that was directly connected to the Internet. Various services were open and available on the AIX host’s public interface. As a result, this host was subject to constant port probing by external IP addresses on the Internet. One service was being probed more than others. That service was, of course, SSH. SSH is a common service subjected to brute-force credentials attacks. On a regular basis I would find failed SSH login attempts in the syslog file (as shown below).

Nov 25 23:38:09 myaixhost auth|security:info sshd[65539]: Failed password for root from 8.218.1.243 port 44968 ssh2

Nov 25 23:38:09 myaixhost auth|security:info syslog: ssh: failed login attempt for root from 8.218.1.243

Nov 25 23:38:10 myaixhost auth|security:info sshd[65541]: Failed password for root from 8.218.1.243 port 45262 ssh2

Nov 25 23:38:10 myaixhost auth|security:info syslog: ssh: failed login attempt for root from 8.218.1.243

I knew that I could prevent this kind of “brute force” attack from reoccurring by manually adding an IP filter rule to block the offending address. But I also wanted to automate this process. I wanted a way to detect this kind of attack and then automatically add new IP filter rules.

I wrote a script to scan my syslog file and look for any failed SSH login attempts from unknown external IP addresses and then automatically add IP filter rules for the offending IP address(es). Here’s an example of the output from the script:

# block_ip.ksh

IP address 168.167.134.1 already blocked by IP filter

Adding 193.3.19.87 to IP filter blocked list

Filter rule 27 for IPv4 has been added successfully.

> Source Address : 193.3.19.87

Statistics of IP Security packets:

IPSec Devices:

ipsec_v4 Available

ipsec_v6 Available

Authentication Algorithm:

CMAC_AES_XCBC -- Cipher-based MAC using AES-XCBC Authentication Module

HMAC_MD5 -- Hashed MAC MD5 Authentication Module

HMAC_SHA -- Hashed MAC SHA Hash Authentication Module

KEYED_MD5 -- Keyed MD5 Hash Authentication Module

Encryption Algorithm:

3DES_CBC -- Triple DES CBC Encryption Module

AES_CBC_128 -- AES CBC 128 bit key Encryption Module

AES_CBC_192 -- AES CBC 192 bit key Encryption Module

AES_CBC_256 -- AES CBC 256 bit key Encryption Module

DES_CBC_4 -- DES CBC 4 Encryption Module

DES_CBC_8 -- DES CBC 8 Encryption Module

NULL -- Null Encryption Algorithm module

IPSec Statistics -

Total incoming packets: 820167

Incoming AH packets: 0

Incoming ESP packets: 0

Srcrte packets allowed: 0

Total outgoing packets: 1289450

Outgoing AH packets: 0

Outgoing ESP packets: 0

Total incoming packets dropped: 2978

Filter denies on input: 2978

AH did not compute: 0

ESP did not compute: 0

AH replay violation: 0

ESP replay violation: 0

Total outgoing packets dropped: 0

Filter denies on output: 0

Tunnel cache entries added: 0

Tunnel cache entries expired: 0

Tunnel cache entries deleted: 0

In the example above, we found an IP address (that was not already blocked), that was attempting to login via SSH unsuccessfully and then adding the IP address to the rule set. If we find a relevant event in syslog, before we add a new rule, we first check if the IP address is already blocked, and if it is not, we go ahead and add a new rule. Below is the script header with a bit more of a description of what it does.

#!/usr/bin/ksh

# Script to block IP addresses that have reported failed login attempts (in /var/log/syslog) via SSH.

# Be very careful with this script. It DOES NOT DISCRIMINATE! If you fail to login, via SSH, with your

# username/password and it fails, because you entered the wrong password (for example), it will block you IP address

# then next time the script is run (assuming, of course, that the failed login attempt is still recorded in /var/log/syslog).

This script now runs once per hour from cron on the AIX host.

Note, to configure ipsec firewall on AIX, the following filesets must be installed on the AIX host.

bos.msg.en_US.net.ipsec 7.3.0.0 COMMITTED IP Security Messages - U.S.

bos.net.ipsec.keymgt 7.3.0.1 COMMITTED IP Security Key Management

bos.net.ipsec.rte 7.3.0.0 COMMITTED IP Security

Please refer to the following links for more information about AIX firewall and IP security filtering configuration. I highly recommend reading about “mkfilt -d” to recover from misconfiguration issues and “mkfilt -g start” to start the ipsec_logd daemon to “view which packets are being dropped”.

Setting up a firewall with AIX TCP/IP filtering

https://developer.ibm.com/articles/au-aixfiltering/

Accessing filter rules from SMIT

https://www.ibm.com/docs/en/aix/7.3?topic=prevention-accessing-filter-rules-from-smit

AIX Intrusion prevention

https://www.ibm.com/docs/en/aix/7.3?topic=network-aix-intrusion-prevention

Blocking an IP address

https://www.toolbox.com/tech/operating-systems/question/blocking-an-ip-address-100306/