[SOLVED] Auto block IP via iptables after certain number of failed attempts
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Auto block IP via iptables after certain number of failed attempts
Hey guys. I'm not an iptables master, let me get that out of the way first.
We have an FTP server that I'm told if someone tries to log in to it X amount of times unsuccessfully, it blocks them in iptables, but if you restart iptables it clears out those blocks so they must just be kept in memory rather than being written to a file i'm assuming.
I'm looking at the server though, but I don't see where/how that's setup. Any ideas where I should look for something like that?
There could be several programs that work as you describe. fail2ban is one that I use. If it is installed, the config files are probably somewhere in /etc. Mine are in /etc/fail2ban. Look for a fail2ban log file. Mine is /var/log/fail2ban. Other configurations are possible, of course. Issue "which fail2ban-client" and it'll tell you if it's in your path.
You can list your iptables with "iptables -nL". If fail2ban is installed, you will see one or more custom chains that it adds, and the banned IPs will show up under one of them.
The banned IPs disappear when you boot your system because your iptables firewall gets rebuilt. I made some changes to fail2ban to preserve all IPs banned for ssh violations. It runs as part of fail2ban after it starts up following a boot, so I never lose my banned IPs.
Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information
on all matching packets (like most IP header fields) via the kernel log (where it can be read with dmesg or syslogd(8)). This
is a "non-terminating target", i.e. rule traversal continues at the next rule. So if you want to LOG the packets you refuse,
use two separate rules with the same matching criteria, first using target LOG then DROP (or REJECT).
Level of logging (numeric or see syslog.conf(5)).
Prefix log messages with the specified prefix; up to 29 letters long, and useful for distinguishing messages in the
Log TCP sequence numbers. This is a security risk if the log is readable by users.
Log options from the TCP packet header.
Log options from the IP packet header.
Log the userid of the process which generated the packet.
So you would duplicate the rule and specify -j LOG on the first one instead of the DROP target. The LOG target will cause the packet to be logged, the next rule (your current one) will DROP if the conditions are met.
oh ok, I get it now, so the first line purely logs it, then the next one actually drops them. So then if something gets blocked, it only shows up in the log file, or can I run iptables with some switch to see what's blocked, since I think these only block until iptables restarts?