Pablo Neira Ayuso wrote on 10/18/23 13:49:
On Wed, Oct 18, 2023 at 01:07:07PM +0200, U.Mutlu wrote:
[...]
Lately I've extended this to make it a 2-stage: if blocked IP
continues sending more than x packets while in timeout of y minutes,
then add this attacker to the second set that has a much higher timeout of z
minutes.
One additional practical benefit of this approach is that
now one sees the hardcore attackers grouped (they are those in set2).
The correct managing of these two sets requires the said
atomicity by testing of BOTH sets before adding the IP to the first set...
You should look at nftables concatenations, you do not have to split
this information accross two sets in nftables. For adding entries from
packet path, have a look at dynamic sets.
Two sets also means two lookups from packet path.
But as said above, I need a seperate 2nd set anyway,
to be able to see the hardcore attackers.
For example for auto-generating and filing
an Abuse Report to the abuse-address (WHOIS)
of the owning ISP of that attacker/hacker IP.
Your other suggestions make sense, indeed, but ATM
are too advanced for me; I would need some time to
learn these advanced concepts possible in current nftables.
In the meantime iptables with ipset shall suffice for my non-HA needs. :-)
Thx.