You are hereNetworking / Dynamically blacklisting with iptables

Dynamically blacklisting with iptables

By maho - Posted on 20 March 2008

Thanks to the 'recent' module of iptables there is a quite simple way to create dynamic blacklist filters, the following rules creates a blacklist that prevents bruteforce attacks on ssh. It simply blocks all traffic from a host that has sent more than 3 new packets within a period of 30 seconds for a period of 180 seconds.

First of all we make sure that all excisting ssh connections remains
-A INPUT -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

Drop hosts in the blacklist for 180 seconds, after 180 seconds host entry is automagically removed from the blacklist.
-A INPUT -m recent --update --seconds 180 --name BLACKLIST --rsource -j DROP

Move all hosts with 3 or more connection attempts in the 'sshin' list within 30 seconds to the blacklist.
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --rcheck --seconds 30 --hitcount 3 -- name sshin --rsource -j blacklist

Add all ssh connections to the 'sshin' list and accept the connection.
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name sshin --rsource -j ACCEPT

Drop all output sent to hosts in the blacklist
-A OUTPUT -m recent --rcheck --seconds 30 --name BLACKLIST --rdest -j REJECT --reject-with icmp-port- unreachable

Our blacklist chain where dropped packages are sent.
-N blacklist -A blacklist -j LOG --log-prefix "adding to BLACKLIST: "
-A blacklist -m recent --set --name BLACKLIST --rsource -j DROP

I think this guide is great,
Submitted by kexofil (not verified) on Sun, 10/12/2008 - 16:01.

I think this guide is great, i just configured it and now i'm waiting to se whether it works or not, since bruteforceattacks are increasing in great numbers, i think firewall configurations like this one will get more and more common.

However, i think it's unclear how long matched attacks are blocked, i would guess that attackers are blocked for 180 seconds if following this guide thoroughly (however, I'm really ascent-minded ;) )?

Another great contribution to this guide would be logging blacklisted attempts to an independant file by adding
kern.warning /var/log/iptables.log to /etc/syslog.conf,
and then creating iptables.log with touch /var/log/iptables.log,
and finally restarting syslog.d: sudo /etc/init.d/sysklogd restart.

Oh, and your CAPTCHA needs some serious work.

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.