Hi, I'm looking at logs and finding that src ip's are looking for trouble, but they are spreading their attack times to a couple of tries over a spread of minutes. Cannot find a way in csf config to set a ban for this. Here is a sample of the syslog to show what I'm seeing (pruned the log down for viewing):
15:17:26 xx krnl: [ 2859.106810] Firewall: *TCP_IN Blocked* IN=eth0MAC=zz:zz SRC=m:m DST=x:x PROTO=TCP SPT=48967 DPT=40032
15:17:28 xx krnl: [ 2861.146516] Firewall: *TCP_IN Blocked* IN=eth0MAC=zz:zz SRC=m:m DST=x:x PROTO=TCP SPT=48967 DPT=40015
15:18:19 xx krnl: [ 2912.453396] Firewall: *TCP_IN Blocked* IN=eth0MAC=zz:zz SRC=m:m DST=x:x PROTO=TCP SPT=48967 DPT=40030
15:18:39 xx krnl: [ 2932.549276] Firewall: *TCP_IN Blocked* IN=eth0MAC=zz:zz SRC=m:m DST=x:x PROTO=TCP SPT=48967 DPT=40095
15:18:59 xx krnl: [ 2951.939513] Firewall: *TCP_IN Blocked* IN=eth0MAC=zz:zz SRC=m:m DST=x:x PROTO=TCP SPT=48967 DPT=40040
15:19:41 xx krnl: [ 2994.367382] Firewall: *TCP_IN Blocked* IN=eth0MAC=zz:zz SRC=m:m DST=x:x PROTO=TCP SPT=48967 DPT=40066
15:20:04 xx krnl: [ 3016.784083] Firewall: *TCP_IN Blocked* IN=eth0MAC=zz:zz SRC=m:m DST=x:x PROTO=TCP SPT=48967 DPT=40063
15:20:04 xx krnl: [ 3017.083965] Firewall: *TCP_IN Blocked* IN=eth0MAC=zz:zz SRC=m:m DST=x:x PROTO=TCP SPT=48967 DPT=40006
15:20:13 xx krnl: [ 3026.111633] Firewall: *TCP_IN Blocked* IN=eth0MAC=zz:zz SRC=m:m DST=x:x PROTO=TCP SPT=48967 DPT=40037
Same IP, 9 attempts over 3 minutes, SPT attack on same port.
Looking to have IP ban control over 'x' number of ties, over 'y' amount of time, both TCP or UDP.
Any help or direction is appreciated.
Many thanks,
Dan
Ban an IP, not just Block
Re: Ban an IP, not just Block
In CSF check:
Login Failure Blocking and Alerts
Sergio
Login Failure Blocking and Alerts
Sergio