In my last post, we introduced ipset and how it can be used to create aggregated rules for multiple source/destination parameters.

Now we will look at how we can create a set of ip addresses who have attempted to connect to the telnet port and block further connections from them. This is a proactive approach and it's quite fun watching how quickly the list grows.

We start by creating the set:
Note we set a timeout of 3600 (1hr)

ipset create denied_telnet hash:ip timeout 3600

Next we create a rule to add telnet connections to the set

 -A INPUT -p tcp -m tcp --dport 23 -m conntrack --ctstate NEW -j SET --add-set denied_telnet src

Then we block everything* from that set (it may be a good idea to exclude your home ip just in case you lock yourself out).

-A INPUT -m set --match-set denied_telnet src -j DROP

Now go out and grab a coffee, and when you come back, you may be quite surprised just how many IPs have been banned. This is the output after approximately 15 minutes on my Linode VPS

root@kvm03-nyc:~# ipset list denied\_telnet
Name: denied\_telnet
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 576
References: 2

In my next post, I will discuss ways in which we can log and audit these connection attempt, and putting these rules into their own iptable chain.