Script for firewall autoban

[cobrax3]

Hey guys, ive been using for a while merlin, and now after some suspicious logs, im looking to do a little script that auto bans an ip for lets say 30 minutes if too many port requests are received from an ip.
any ideas how to do that?
thank you!

 

[cobrax3]

nobody has any idea?

 

[YasharF]

Hey guys, ive been using for a while merlin, and now after some suspicious logs, im looking to do a little script that auto bans an ip for lets say 30 minutes if too many port requests are received from an ip.
any ideas how to do that?
thank you!

Not out of the box, but something to start you with would be http://www.fail2ban.org/wiki/index.php/Main_Page and http://archive09.linux.com/articles/48138 ; if you are creating logs, I highly recommend making sure that it is on a USB and not the device JFFS

 

[cobrax3]

thanks for the suggestions. i am talking only of the system log, not the firewall log, not much is written there. those scripts are banning if someone tries logins. i havent had those, i think. ive had some random packets resembling portscanning. id like to counter portscanning
thanks again

 

[thelonelycoder]

The setting Administration/System/Allow only specified IP address can limit that. But AFAIK on the LAN side only.

 

[cobrax3]

yes, i need autoban on port scan on wan interface

 

[ColinTaylor]

those scripts are banning if someone tries logins. i havent had those, i think. ive had some random packets resembling portscanning. id like to counter portscanning
thanks again

How do you know you are being port scanned then? The only thing you will see in the syslog is failed connection/login errors for services you have exposed to the internet. i.e. VPN, FTP, HTTP,etc. Those messages are generated by each service individually. Someone scanning a port that isn't running a service won't generate a message in the syslog.

Can you give an example of the messages you are seeing.

 

[cobrax3]

yes, i get errors on vpn and on openvpn ports. not many, probably random scans i think? i got ip's from china and us. im europe

 

[cobrax3]

so no one knows how i can do that?
thank you

 

[thelonelycoder]

I have no idea if this works

so no one knows how i can do that?
thank you

Google-fu brought this up:
Using IPtables to Stop SSH Brute Force Attacks
Not sure it'll work. You'll find out if you try.

 

[cobrax3]

thank you, this looks interesting, but im not an expert in linux commands lol
if i delete "--dport 22" and just use
/usr/sbin/iptables -I INPUT -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
will it use any port, and effectively drop any connections from same ip that are more than 4 in 60 seconds?
thanks again!