Changelog POOFITEE v0.0.1:
– At first blush, we thought POOFITEE was operational 2016-09-16, but a few bugs remained until 2016-10-01. After 2016-10-01 this “Original” branch is only expected to receive bug fixes of the ruleset, no installer enhancements.
– Tested with Ubuntu server CLI, Linux Mint, Raspberry Pi, and Pine A64 (for which you’ll have to manually load the ipset module for iptables). We expect success with many or most other Linux distros. Future expansion still planned including source code cleanup and screen layout enhancement.
BULLET-PROOF YOUR “OWNER-ACCESS-ONLY” LINUX SERVER FROM HACKERS WITH IPTABLES AND ROBUST SHELL SCRIPTING.
Bare minimum packages and whitelist-only access to your Linux home surveillance &/or automation system such as NEST or WeMo, or your WiFi router (if port or other forwarding, or external management are in use). ENTERPRISES: Let POOFITEE create the blacklists you need! Run POOFITEE on an external ip address that should have no incoming traffic, then share with your firewalls the ipset blacklist it creates.
No hackers can get any data or communication at all out of your system when this firewalling solution is installed on it:
* Only you know how to get your remote IP address permitted by whitelist to become an authorized source address. This will be by port knocking or email. Source addresses not whitelisted are ignored as effectively as them being explicitly blacklisted. All 65536 of your ports are invisible to them.
* Only you know the IP address of your system – it’s emailed to you fresh every time your systems gets it changed by DHCP.
* You will be notified immediately by email/text of any and all source addresses that your system places on its whitelist or removes from its blacklist.
* You would still continue to use passwords and ssh keys as is prudent even for systems without firewall protection.
All this PLUS the simplicity and robustness inherent in a bare iptables and scripting-only Linux solution, PLUS the option of building an explicit blacklist of first-time hacking packets in real-time for your reference and curiosity, if your system has enough RAM.
Firewalling options this install script should be able to alter from the script set defaults:
— Stop probe logging/blacklisting to save space or if you’re just not curious – comment out the crontab entry and kill the process
— Open specific ports to offer public services
— Force single-interface firewalling even though two interfaces exist
— Alter the IP address of the private-side interface from 192.168.3.1
— Dynamic re-config of interfaces: external may swap with internal and private IP on external my become public & vice versa for laptops, etc. Triggered on whenever change in external interface
— Allow installer to specify which internal interface to trust
— accommodate multiple vlans
Why anyone would want a blacklist to accumulate:
1) differentiate between neutral and hostile when providing public services,
2) assist in selecting ports for knock sequence or email knock by which are least probed,
3) just to have a blacklist so admin/owner can blacklist their own choices of Internet addresses,
4) give to other firewall software in a multi-box environment,
5) sales, marketing, winning a bet, or other reasons to prove the point to self or others,
Usage & Download from git:
git clone https://github.com/kenneth558/POOFITEE-Original && cd POOFITEE-Original
chmod a+x POOFITEE