Does anyone have recommendations on how to automatically blackhole addresses. I've gotten tired of looking through our iptables logs and seeing tons of probes against every ip on our network. I'd rather not reduce the log sensitivity because I like to see details about what's going on, but I'd love to be able to detect certain patterns and blackhole all traffic from the source ip for a given period of time. For example, if a source tried to access tcp port 25 on two unused addresses within a minute, I'd like to be able to add the source ip to a target chain that silently drops all traffic from the address, but then remove the address from the chain after 30 minutes. It looks like I should be able to do something at least pretty close to this with the QUEUE target. I also just ran across the ipset utility which also looks like it will be helpful. I'm interested to know if anyone else is doing something like this and if so, I'd be very interested to know what your experiences have been with it. Thanks in advance, J.T. Moore International Auto Parts
