In my last post, we introduced ipset and how it can be used to create aggregated rules for multiple source/destination parameters.
Now we will look at how we can create a set of ip addresses who have attempted to connect to the telnet port and block further connections from them. This is a proactive approach and it's quite fun watching how quickly the list grows.
We start by creating the set:
Note we set a timeout of 3600 (1hr)
ipset create denied_telnet hash:ip timeout 3600
Next we create a rule to add telnet connections to the set
-A INPUT -p tcp -m tcp --dport 23 -m conntrack --ctstate NEW -j SET --add-set denied_telnet src
Then we block everything* from that set (it may be a good idea to exclude your home ip just in case you lock yourself out).
-A INPUT -m set --match-set denied_telnet src -j DROP
Now go out and grab a coffee, and when you come back, you may be quite surprised just how many IPs have been banned. This is the output after approximately 15 minutes on my Linode VPS
root@kvm03-nyc:~# ipset list denied\_telnet Name: denied\_telnet Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 576 References: 2 Members: 39.36.89.xxx 117.6.218.xxx 122.116.233.xxx 59.127.102.xxx 123.115.195.xx 192.168.33.xx 200.75.105.xx 95.54.43.xxx 200.58.176.xx 111.125.232.xx root@kvm03-nyc:~#
In my next post, I will discuss ways in which we can log and audit these connection attempt, and putting these rules into their own iptable chain.