[Novalug] What's a good way to block a bunch of IP's?

Dan Lavu dan@lavu.net
Mon Jul 30 00:40:18 EDT 2012


Load the ipt_recent module and you can do it in iptables. 

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set 
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 300 --hitcount 10 -j DROP 

----- Original Message -----

From: "Jon LaBadie" <novalugml@jgcomp.com> 
To: novalug@calypso.tux.org 
Sent: Monday, July 30, 2012 12:34:53 AM 
Subject: Re: [Novalug] What's a good way to block a bunch of IP's? 

On Mon, Jul 30, 2012 at 12:08:38AM -0400, Clif Flynt wrote: 
> When I was being ddos'ed with dictionary ssh attacks I put together a 
> script that would watch /var/log for repeated ssh failures and 
> automatically added them to the iptables with 
> 
> /sbin/iptables -D INPUT -j DROP -i ppp0 -s $ip 
> 
> my script logged the times of addition and removed the address 
> from ipatables a few hours later. 
> 
> I wrote my script in Tcl, but a perl or python or bash script 
> wouldn't be much tougher. 
> 
The denyhosts package might be suitable here. 

jl 
-- 
Jon H. LaBadie novalugml@jgcomp.com 
11226 South Shore Rd (703) 787-0688 (H) 
Reston, VA 20190 (609) 477-8330 (C) 
_______________________________________________ 
Novalug mailing list 
Novalug@calypso.tux.org 
http://calypso.tux.org/mailman/listinfo/novalug 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20120730/d052a04b/attachment.htm>


More information about the Novalug mailing list