Etherarp
Etherarp

Networking, Security, Linux

Share


IPset: Automatic Blocking of Portscans

In my last post, we introduced ipset and how it can be used to create aggregated rules for multiple source/destination parameters. Now we will look at how we ca…

Rohan MolloyRohan Molloy

In my last post, we introduced ipset and how it can be used to create aggregated rules for multiple source/destination parameters.

Now we will look at how we can create a set of ip addresses who have attempted to connect to the telnet port and block further connections from them. This is a proactive approach and it's quite fun watching how quickly the list grows.

We start by creating the set:
Note we set a timeout of 3600 (1hr)

ipset create denied_telnet hash:ip timeout 3600

Next we create a rule to add telnet connections to the set

 -A INPUT -p tcp -m tcp --dport 23 -m conntrack --ctstate NEW -j SET --add-set denied_telnet src

Then we block everything* from that set (it may be a good idea to exclude your home ip just in case you lock yourself out).

-A INPUT -m set --match-set denied_telnet src -j DROP

Now go out and grab a coffee, and when you come back, you may be quite surprised just how many IPs have been banned. This is the output after approximately 15 minutes on my Linode VPS

root@kvm03-nyc:~# ipset list denied\_telnet
Name: denied\_telnet
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 576
References: 2
Members:
39.36.89.xxx
117.6.218.xxx
122.116.233.xxx
59.127.102.xxx
123.115.195.xx
192.168.33.xx
200.75.105.xx
95.54.43.xxx
200.58.176.xx
111.125.232.xx
root@kvm03-nyc:~# 

In my next post, I will discuss ways in which we can log and audit these connection attempt, and putting these rules into their own iptable chain.

Author

Rohan Molloy

View Comments