In my last post, we introduced ipset and how it can be used to create aggregated rules for multiple source/destination parameters.

Now we will look at how we can create a set of ip addresses who have attempted to connect to the telnet port and block further connections from them. This is a proactive approach and it's quite fun watching how quickly the list grows.

We start by creating the set:
Note we set a timeout of 3600 (1hr)

ipset create denied_telnet hash:ip timeout 3600

Next we create a rule to add telnet connections to the set

 -A INPUT -p tcp -m tcp --dport 23 -m conntrack --ctstate NEW -j SET --add-set denied_telnet src

Then we block everything* from that set (it may be a good idea to exclude your home ip just in case you lock yourself out).

-A INPUT -m set --match-set denied_telnet src -j DROP

Now go out and grab a coffee, and when you come back, you may be quite surprised just how many IPs have been banned. This is the output after approximately 15 minutes on my Linode VPS

root@kvm03-nyc:~# ipset list denied\_telnet
Name: denied\_telnet
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 576
References: 2
Members:
39.36.89.xxx
117.6.218.xxx
122.116.233.xxx
59.127.102.xxx
123.115.195.xx
192.168.33.xx
200.75.105.xx
95.54.43.xxx
200.58.176.xx
111.125.232.xx
root@kvm03-nyc:~# 

In my next post, I will discuss ways in which we can log and audit these connection attempt, and putting these rules into their own iptable chain.