10 Apr
2019
10 Apr
'19
8:23 a.m.
Out of interest, I took a look at me "PERMABAN" ipset list. It now has
5,296 addresses in it, with the top 5 offenders all having exceeded
half a million hits each *since* having acted badly enough to end up in
that list. Total packets across the list amounts to > 17 million, which
means that the average offender continues trying > 3,000 times after
ending up on the list.
If anyone's interested, here's how I do it...
I have an iptables chain called LOGANDBLOCK at the end of my INPUT
chain. That does the usual log / tcp reset / drop sequence. But it also
has the following rules:
-m recent --rcheck --hitcount 20 --name LOGANDBLOCK --mask 255.255.255.255 --rsource -j
SET --add-set PERMABAN src
-m recent --set --name LOGANDBLOCK --mask 255.255.255.255 --rsource
-m recent --rcheck --seconds 86400 --reap --name LOGANDBLOCK --mask 255.255.255.255
--rsource
-m set --match-set PERMABAN src -m recent --remove --name LOGANDBLOCK --mask
255.255.255.255 --rsource
Those say that any IP which has hit LOGANDBLOCK more than 20 times in
the past day will get added to the PERMABAN ipset and removed from the
LOGANDBLOCK recent list. They stay on the PERMABAN set forever, unless
manually removed.
My INPUT chain also contains, near the start:
-m set --match-set PERMABAN src -j LOGANDBLOCK
-m recent --rcheck --hitcount 5 --name LOGANDBLOCK --mask 255.255.255.255 --rsource -j
LOGANDBLOCK
So anyone who's in PERMABAN or who has hit LOGANDBLOCK 5 times in the past
day will continue to do so. (i.e. you get blocked temporarily after 5 hits
in 1 day, permanently after 20).
Finally, I have a simple python script which watches my logs for
dubious ssh attempts (like fail2ban does) and, when spotted, increments
the LOGANDBLOCk xt_recent counter manually. So, hitting ssh 5 times
dubiously gets you onto the firewall block list, same as hitting
closed ports 5 times. Continuing to do so gets you onto the permaban
list.
Maybe banning after 20 hits/day is a bit aggressive, but nobody's
complained to me yet!
Cheers,
Alun.