Add iptables block on IP after many ports scanned

Discuss Applications
Post Reply
User avatar
Basher52
guru
guru
Posts: 917
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Add iptables block on IP after many ports scanned

Post by Basher52 » Tue Jan 26, 2010 4:50 pm

I wonder if anyone know an application that can add iptables drop after when same IP scans lots of ports, lets say 20 or so, preferably configurable.

I've started to see lots of IP addresses that scans lots of ports trying to find something to get in to and instead of going through the logs everyday doingt this manually is there something that can do this?

I'll show you what I mean:

Code: Select all

   From 70.173.72.49 - 568 packets to tcp(1054,1079,1210,1213,1215,1217,1222,1224,1227,1228,1232,1240,1241,1248,1259,1262,1277,1278,1279,1280,1285,1290,1293,1297,1298,129
9,1300,1304,1305,1307,1310,1311,1313,1314,1316,1317,1318,1321,1323,1326,1328,1331,1333,1334,1336,1340,1343,1344,1347,1348,1353,1354,1357,1358,1452,1537,1540,1541,1546,154
7,1550,1551,1552,1553,1555,1565,1566,1567,1568,1571,1572,1575,1577,1578,1580,1581,1583,1584,1586,1589,1591,1592,1593,1594,1595,1596,1598,1600,1602,1603,1604,1606,1609,161
1,1612,1613,1615,1616,1617,1621,1628,1637,1639,1648,1656,1659,1660,1686,1728,1792,1887,1891,1957,2030,2172,2248,2336,2492,2670,2743,2793,2825,2962,2972,2992,2996,3042,314
5,3167,3268,3445,3518,3594,3682,3802,3824,3851,3858,3899,3941,4181,4351,4574,4629,4694,4821,20355) 
and I've seen lots and lots of these, even worse, the last couple of weeks and right now I just add a:
iptables -t filter -A INPUT -i eth0 -s x.x.x.x -j DROP into my iptables script but it's getting too much work doing this.

The log size has increased three times in size from like 4-6 weeks ago.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue Jan 26, 2010 5:16 pm

Here looks like one way:

http://www.cyberciti.biz/faq/linux-dete ... n-attacks/

http://cipherdyne.org/psad/

I had written a script to detect and block Code Red infected addresses way back when:

http://voidmain.is-a-geek.net/codered/
http://voidmain.is-a-geek.net/forums/vi ... c&start=15

Having said all that if you start blocking hundreds to thousands of individual addresses you can probably expect to start running into performance problems. I did when auto-blocking. Every packet has to traverse that entire chain of rules and that is costly when you have a large number of rules. So I would flush them periodically.

User avatar
Basher52
guru
guru
Posts: 917
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Post by Basher52 » Mon Feb 01, 2010 2:19 pm

flush, yeah that sounds smart

Post Reply