What's new

Script for firewall autoban

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cobrax3

Occasional Visitor
Hey guys, ive been using for a while merlin, and now after some suspicious logs, im looking to do a little script that auto bans an ip for lets say 30 minutes if too many port requests are received from an ip.
any ideas how to do that?
thank you!
 
Hey guys, ive been using for a while merlin, and now after some suspicious logs, im looking to do a little script that auto bans an ip for lets say 30 minutes if too many port requests are received from an ip.
any ideas how to do that?
thank you!
Not out of the box, but something to start you with would be http://www.fail2ban.org/wiki/index.php/Main_Page and http://archive09.linux.com/articles/48138 ; if you are creating logs, I highly recommend making sure that it is on a USB and not the device JFFS
 
thanks for the suggestions. i am talking only of the system log, not the firewall log, not much is written there. those scripts are banning if someone tries logins. i havent had those, i think. ive had some random packets resembling portscanning. id like to counter portscanning
thanks again
 
The setting Administration/System/Allow only specified IP address can limit that. But AFAIK on the LAN side only.
 
those scripts are banning if someone tries logins. i havent had those, i think. ive had some random packets resembling portscanning. id like to counter portscanning
thanks again
How do you know you are being port scanned then? The only thing you will see in the syslog is failed connection/login errors for services you have exposed to the internet. i.e. VPN, FTP, HTTP,etc. Those messages are generated by each service individually. Someone scanning a port that isn't running a service won't generate a message in the syslog.

Can you give an example of the messages you are seeing.
 
yes, i get errors on vpn and on openvpn ports. not many, probably random scans i think? i got ip's from china and us. im europe
 
thank you, this looks interesting, but im not an expert in linux commands lol
if i delete "--dport 22" and just use
/usr/sbin/iptables -I INPUT -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
will it use any port, and effectively drop any connections from same ip that are more than 4 in 60 seconds?
thanks again!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top