[Firehol-support] Automatic blacklisting of scanners/brute-force attacks

Mirko Buffoni firehol at synthesys.it
Fri Jan 23 10:11:10 GMT 2009


Hi Costa and friends,

I was googling around and found the following interesting
automatic blacklist solution:

- Create a special blacklist chain for this purpose
- Create a shield chain based on a number of counters
- Route abused services into this shield chain

So

# Create chains
iptables -N login_shield
iptables -N blacklist

iptables -A blacklist -m recent --name blacklist --set
iptables -A blacklist -j LOG --log-prefix "TOO MANY CONNECTIONS: "

# Make use of --update to reset counter, instead of --rcheck which doesn't 
reset it
iptables -A login_shield -m recent --update --name blacklist 
--seconds   600 --hitcount   1 -j DROP

# Add the counters
iptables -A login_shield -m recent --set    --name counting1
iptables -A login_shield -m recent --set    --name counting2
iptables -A login_shield -m recent --set    --name counting3
iptables -A login_shield -m recent --set    --name counting4

iptables -A login_shield -m recent --update --name counting1 
--seconds    20 --hitcount   3 -j blacklist
iptables -A login_shield -m recent --update --name counting2 
--seconds   200 --hitcount  15 -j blacklist
iptables -A login_shield -m recent --update --name counting3 
--seconds  2000 --hitcount  80 -j blacklist
iptables -A login_shield -m recent --update --name counting4 --seconds 
20000 --hitcount 400 -j blacklist

iptables -A login_shield -j ACCEPT

# Route services
iptables -A INPUT -p TCP --dport ssh -m state --state NEW -j login_shield
iptables -A INPUT -p TCP --dport ftps -m state --state NEW -j login_shield


Now I was wondering, if Firehol can already do this in some way I didn't
find, and if not, how this could be integrated in the current Commands Syntax
without interfere with the clear definition scheme it has.

Open to all your suggestions.

Mirko





More information about the Firehol-support mailing list