Tell me, please, I decided to try to protect my server. Stumbled upon an ipset . Found an example:

 ipset -N blacklist iphashiptables -A INPUT -p tcp -m tcp --dport 80 -m set --set blacklist src -j DROP

It works, but what he does, I do not understand, bans ip ? If so, is it possible to see the list. Well, or how you can implement what if iptables found a bot, then its ip was banned.

  • @avengerweb, if you are given an exhaustive answer, mark it as true. - Deleted

1 answer 1

You have created a blacklist hash, it is empty. Rule iptables you'll block all of the blacklist hash who will go to your host on port 80. If the source ip is in the hash, it will be DROP. Check who's in hash

ipset -L blacklist

Add to hash

ipset -A blacklist 1.1.1.1

This is all nice and convenient, but you will have to edit the list with pens. Each ip put in the hash table. Ie it is not an automated tool.

Another example of how little blood can organize some kind of protection. Use the module limit.

Create a chain

iptables -N dummy_bot

Let into it those who go to port 80

iptables -A INPUT -p tcp --dport 80 --syn -j dummy_bot

Suppose that a bot will make more than 5 requests in 10 seconds, then

iptables -A dummy_bot -m limit --limit 5 / 10s --limit-burst 6 -j RETURN

If it does not, then the action is RETURN.

And if it exceeds, then

iptables -A dummy_bot -j DROP

We drop such.

  • Do not tell me how to automate this process? - avengerweb 1:58 pm
  • And you first put the TK, but it is not clear what the bots are, how to distinguish them from ordinary users, what will be the criterion of "botnichestvo"? - pyatak
  • Yes, just on the number of connections. I still do not really understand this, at least tell me how to write to the banlist you can - avengerweb
  • a bath in this way of bruteforcers on port 22 ... you can read about fail2ban, it describes the principles of operation, everything is automated. - thunder
  • Nevertheless, how can I add addresses to ipset, automatically? - avengerweb