[Firehol-support] Automatic blacklisting of scanners/brute-force attacks

Carlos Rodrigues cefrodrigues at gmail.com
Fri Jan 23 11:47:10 CET 2009


FireHOL supports this with the "accept with recent" syntax:

http://firehol.sourceforge.net/commands.html?#accept

Regards,


On Fri, Jan 23, 2009 at 10:11 AM, Mirko Buffoni <firehol at synthesys.it> wrote:
> Hi Costa and friends,
>
> I was googling around and found the following interesting
> automatic blacklist solution:
>
> - Create a special blacklist chain for this purpose
> - Create a shield chain based on a number of counters
> - Route abused services into this shield chain
>
> So
>
> # Create chains
> iptables -N login_shield
> iptables -N blacklist
>
> iptables -A blacklist -m recent --name blacklist --set
> iptables -A blacklist -j LOG --log-prefix "TOO MANY CONNECTIONS: "
>
> # Make use of --update to reset counter, instead of --rcheck which doesn't
> reset it
> iptables -A login_shield -m recent --update --name blacklist
> --seconds   600 --hitcount   1 -j DROP
>
> # Add the counters
> iptables -A login_shield -m recent --set    --name counting1
> iptables -A login_shield -m recent --set    --name counting2
> iptables -A login_shield -m recent --set    --name counting3
> iptables -A login_shield -m recent --set    --name counting4
>
> iptables -A login_shield -m recent --update --name counting1
> --seconds    20 --hitcount   3 -j blacklist
> iptables -A login_shield -m recent --update --name counting2
> --seconds   200 --hitcount  15 -j blacklist
> iptables -A login_shield -m recent --update --name counting3
> --seconds  2000 --hitcount  80 -j blacklist
> iptables -A login_shield -m recent --update --name counting4 --seconds
> 20000 --hitcount 400 -j blacklist
>
> iptables -A login_shield -j ACCEPT
>
> # Route services
> iptables -A INPUT -p TCP --dport ssh -m state --state NEW -j login_shield
> iptables -A INPUT -p TCP --dport ftps -m state --state NEW -j login_shield
>
>
> Now I was wondering, if Firehol can already do this in some way I didn't
> find, and if not, how this could be integrated in the current Commands Syntax
> without interfere with the clear definition scheme it has.
>
> Open to all your suggestions.
>
> Mirko
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>



-- 
Carlos Rodrigues




More information about the Firehol-support mailing list