[Firehol-devs] [Firehol-support] mini-IDS

Phil Whineray phil at sanewall.org
Fri Feb 6 08:50:03 CET 2015


Costa

This looks great.

On Fri, Feb 06, 2015 at 03:19:00AM +0200, Tsaousis, Costa wrote:
> # create the trap ipset
> ipset4 create trap hash:ip timeout 3600 counters

I could read the code to check the exact syntax out but I will ask here,
hopefully to the benefit of all:

> # my traps
> iptrap4 src trap   600 inface dsl0 proto tcp dport 22 log "TRAP SSH"

So the iptrap4 command adds the matching traffic to the ipset named in
src, for the duration which is the second parameter?

> # blacklist everything in the trap
> blacklist4 input inface dsl0 log "BLACKLIST TRAP"  ipset:trap

Then business as usual.

Could this also be used to setup e.g. port knocking without the daemon?
In which case a different command name than iptrap4 might be nice?
e.g. something like:

ipset4 dynamic trap 600 inface dsl0 proto tcp dport 22 log "TRAP SSH"

Cheers
Phil



More information about the Firehol-devs mailing list