0

I’m looking for an IPTables only solution to block any IP address who has made too many (e.g. more than 5) connections or reconnections within a short period of time (e.g. 1 minutes) on a certain port. Blocked addresses should locked out at least for 30 minutes.

seizu
  • 113
  • 4
  • 2
    Depends what you mean by "IPTables only". Fail2Ban does this, and uses iptables to block the traffic, but fail2ban runs as a service to manage the blocks (start and stop). – Gene Gotimer Oct 30 '14 at 20:09
  • Due to the lack of space and some other reasons, I need a solution without any third-party tools. – seizu Oct 30 '14 at 20:19
  • You'll have other services running, like networking, the kernel, and presumably a web server or something listening to the port you want monitored. iptables won't do what you want without some help, and if you are saying you can't use any help then... – Gene Gotimer Oct 30 '14 at 20:39
  • I work on an embedded system and of course I have a kernel and network services ;) – seizu Oct 30 '14 at 20:48
  • 1
    All I'm pointing out is that you have drawn an arbitrary line about what can and can't be used. It may not seem arbitrary to you, but it is. – Gene Gotimer Oct 30 '14 at 21:04
  • See: http://serverfault.com/a/17879. – Zoredache Oct 30 '14 at 21:24

2 Answers2

3

The solution you give will slow down the rate of new connections, but the source can can come back after 180 seconds, and may even find out that once every 60 seconds is ok. If you want it to be banned for at least 30 minutes as you asked for (check out also the --rcheck option instead of the --update), you need to add the source to an other recent list of sources, instead of dropping the packets. So it becomes:

iptables -N BANNING
iptables -A BANNING -m recent --set --name BANNED --rsource

iptables -A INPUT -m recent --name BANNED --update --seconds 1800 --reap -j DROP
iptables -I INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
iptables -I INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j BANNING
Zimmi
  • 1,041
  • 7
  • 11
  • amazon linux 4.9.20-11.31.amzn1.x86_64 : iptables-restore v1.4.18: unknown option "--reap" – Massimo May 06 '17 at 18:55
  • I found : last iptables doesn't have the option "reap", just remove it – Massimo May 06 '17 at 19:10
  • @Massimo Check the netfilter's man about the [match recent extension](http://ipset.netfilter.org/iptables-extensions.man.html#lbBW). It says about reap : `This option can only be used in conjunction with --seconds`. The given link is for iptables v1.4.20. On my servers with iptables v1.4.21, no problem with reap. But I never used amazon linux... – Zimmi May 06 '17 at 19:27
1

Thanks to Zoredache for pointig me out that link. After seeking the Web I found a similar solution on Devon Hillard's tech blog.

This two simple rules do the job.

iptables -I INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource

iptables -I INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP

Source: Using IPTables to Prevent SSH Brute Force Attacks

seizu
  • 113
  • 4