IPset: Automatic Blocking of Portscans
In my last post, we introduced ipset and how it can be used to create aggregated rules for multiple source/destination parameters.
Now we will look at how we can create a set of ip addresses who have attempted to connect to the telnet port and block further connections from them. This is a proactive approach and it's quite fun watching how quickly the list grows.
We start by creating the set:
Note we set a timeout of 3600 (1hr)
ipset create denied_telnet hash:ip timeout 3600
Next we create a rule to add telnet connections to the set
-A INPUT -p tcp -m tcp --dport 23 -m conntrack --ctstate NEW -j SET --add-set denied_telnet src
Then we block everything* from that set (it may be a good idea to exclude your home ip just in case you lock yourself out).
-A INPUT -m set --match-set denied_telnet src -j DROP
Now go out and grab a coffee, and when you come back, you may be quite surprised just how many IPs have been banned. This is the output after approximately 15 minutes on my Linode VPS
root@kvm03-nyc:~# ipset list denied\_telnet
Name: denied\_telnet
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 576
References: 2
Members:
39.36.89.xxx
117.6.218.xxx
122.116.233.xxx
59.127.102.xxx
123.115.195.xx
192.168.33.xx
200.75.105.xx
95.54.43.xxx
200.58.176.xx
111.125.232.xx
root@kvm03-nyc:~#
In my next post, I will discuss ways in which we can log and audit these connection attempt, and putting these rules into their own iptable chain.