[Firehol-support] Automatic blacklisting of scanners/brute-force attacks

[Mirko Buffoni]

Hi Costa and friends,

I was googling around and found the following interesting
automatic blacklist solution:

- Create a special blacklist chain for this purpose
- Create a shield chain based on a number of counters
- Route abused services into this shield chain

So

# Create chains
iptables -N login_shield
iptables -N blacklist

iptables -A blacklist -m recent --name blacklist --set
iptables -A blacklist -j LOG --log-prefix "TOO MANY CONNECTIONS: "

# Make use of --update to reset counter, instead of --rcheck which doesn't 
reset it
iptables -A login_shield -m recent --update --name blacklist 
--seconds   600 --hitcount   1 -j DROP

# Add the counters
iptables -A login_shield -m recent --set    --name counting1
iptables -A login_shield -m recent --set    --name counting2
iptables -A login_shield -m recent --set    --name counting3
iptables -A login_shield -m recent --set    --name counting4

iptables -A login_shield -m recent --update --name counting1 
--seconds    20 --hitcount   3 -j blacklist
iptables -A login_shield -m recent --update --name counting2 
--seconds   200 --hitcount  15 -j blacklist
iptables -A login_shield -m recent --update --name counting3 
--seconds  2000 --hitcount  80 -j blacklist
iptables -A login_shield -m recent --update --name counting4 --seconds 
20000 --hitcount 400 -j blacklist

iptables -A login_shield -j ACCEPT

# Route services
iptables -A INPUT -p TCP --dport ssh -m state --state NEW -j login_shield
iptables -A INPUT -p TCP --dport ftps -m state --state NEW -j login_shield


Now I was wondering, if Firehol can already do this in some way I didn't
find, and if not, how this could be integrated in the current Commands Syntax
without interfere with the clear definition scheme it has.

Open to all your suggestions.

Mirko