Re: How to count access attempts per ip and block automatically

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/20/2017 10:49 PM, evan wrote:
> however I would also like monitor the evaluation set and automatically
> add to the blacklist any address that for example 
> 
> attempts more than 25 connections on port 22 per hour.

In iptables I use a side chain and a limit/return rule.

So I create a specific chain who's terminal condition adds the address
to a block list, but then uses a limit to return from the chain early if
they are in the fair-play range.

# new chain
iptables --new-chain SSHTHROTTLE

# If they are in the naughty list then update their membership
# then drop the connection. The "update" will fail if they are not
# already in the set, and so the DROP will _NOT_ take place.
iptables --append SSHTHROTTLE --match recent --name bad_actors --update
--seconds 86400 --reap --jump DROP

# If the connection attempt hasn't exceeded five goes in an hour then
# accept the connection. (Use RETURN if you have more logic you want
# to go through before the final verdict.)
iptables --append SSHTHROTTLE --match hashlimit --hashlimit-name
ssh_throttle --hashlimit-upto 5/hour --hashlimit-mode srcip
--hashlimit-htable-expire 7200000 --jump ACCEPT

# Add the bad actor to the bad_actors set and then drop the packet.
iptables --append SSHTHROTTLE --match recent --name bad_actors --set
--jump DROP

So the above logic puts a bad_actor into a penalty box, but they get out
of the penalty if they stop trying for at least 86400 seconds (one day).
But as long as they keep trying they stay banned.


Meanwhile, that chain is really controlled by the invocation context.
That is, I use the chain name SSHTHROTTLE but the only thing that makes
this SSH specific is the invoking rule.

iptables --append INPUT --in-interface ext+ --proto tcp --match
conntrack --ctstate NEW --dport 22 --syn --jump SSHTHROTTLE


So you can direct all manner of sessions through just the one table if
you consider other connections just as onerous.

In NFTables you can do something similar using limits and sets, but I
haven't constructed the logic to share here.

--Rob.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux