How to ban Syn Flood Attacks using Fail2Ban?

I came up with another solution for this and it seems to be working so far. Basically, I have written a filter that scans through the log and block all rogue IP addresses that has been dropped for various reasons in the given findtime. So this filter will block the IPs that has been dropped due to Syn, Xmas attacks, Port scan, etc. - whatever is listed in your iptables rules. In order words, it blocks the ones which keeps showing up in iptables block list for various reasons.

Jail.local

[iptables-dropped]

enabled = true
filter = iptables-dropped
banaction = iptables-allports
port = all
logpath = /var/log/messages
bantime = 1800
maxretry = 3

FILTER: iptables-dropped.conf

[Definition]
failregex = IPTables Dropped: .* SRC=<HOST>
ignoreregex =

Make sure you log the dropped IPs like this in the iptables rules so the above filter works:

# log iptables denied calls (access via 'dmesg' command) to /var/log/messages file
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 5/min -j LOG --log-prefix "IPTables Dropped: " --log-level 4
iptables -A LOGGING -j DROP

The above seems to work for me.

How to ban Syn Flood Attacks using Fail2Ban?

Tags:

Firewall

Debian

Iptables

Fail2Ban

Syn

Related

Recent Posts