How to ban Syn Flood Attacks using Fail2Ban?
I came up with another solution for this and it seems to be working so far. Basically, I have written a filter that scans through the log and block all rogue IP addresses that has been dropped for various reasons in the given
findtime. So this filter will block the IPs that has been dropped due to Syn, Xmas attacks, Port scan, etc. - whatever is listed in your iptables rules. In order words, it blocks the ones which keeps showing up in iptables block list for various reasons.
[iptables-dropped] enabled = true filter = iptables-dropped banaction = iptables-allports port = all logpath = /var/log/messages bantime = 1800 maxretry = 3
[Definition] failregex = IPTables Dropped: .* SRC=<HOST> ignoreregex =
Make sure you log the dropped IPs like this in the iptables rules so the above filter works:
# log iptables denied calls (access via 'dmesg' command) to /var/log/messages file iptables -N LOGGING iptables -A INPUT -j LOGGING iptables -A LOGGING -m limit --limit 5/min -j LOG --log-prefix "IPTables Dropped: " --log-level 4 iptables -A LOGGING -j DROP
The above seems to work for me.