CSF is able to detect them and block it according to the logs from what I can see in the /var/log/syslog file as the attacking IPs are there. Yet CSF is not doing its job and the attacks are able to penetrate and do its job to make the network to the machine inaccessible. I am able to re-gain access to the machine if I login remotely to it via KVM to block the attacking IP manually via iptables everytime. So the request aren't overwhelming the NIC.
Instead of logging about the IP getting TCP_IN/UDP_IN blocked, I would like to block/timeout the IPs triggering these events via iptables for a few minutes. How do I do this?
Code: Select all
iptables -w -I INPUT -s <IP> -j DROPCode: Select all
Mar 30 16:21:01 gs kernel: [337999.906001] Firewall: *TCP_IN Blocked* IN=enp0s31f6 OUT= MAC=90:1b:0e:fb:a7:3c:2c:21:31:28:a6:57:08:00 SRC=20.162.114.38 DST=78.46.33.4 LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=27334 PROTO=TCP SPT=44600 DPT=19278 WINDOW=1024 RES=0x00 SYN URGP=0
Mar 30 16:21:02 gs kernel: [338000.335225] Firewall: *UDP_IN Blocked* IN=enp0s31f6 OUT= MAC=90:1b:0e:fb:a7:3c:2c:21:31:28:a6:57:08:00 SRC=141.95.22.152 DST=78.46.33.4 LEN=374 TOS=0x00 PREC=0x00 TTL=52 ID=15439 DF PROTO=UDP SPT=17664 DPT=9216 LEN=39309