[Fail2ban-users] Blocking portscans

Jochen Fahrner Mon, 20 Feb 2017 00:28:35 -0800

Hi,

I have setup an iptables firewall, logging all break in attempts to kernlog.


I made a fail2ban rule matching these attempts:

failregex = ^%(__prefix_line)s\[MYFW BLOCK\] IN=eth0 OUT=
MAC=%(__machex)s SRC=<HOST>

and a corresponding jail with findtime and bantime 3600.

This works quite good, but sometimes I still see massive portscan
attempts like this one:

Feb 20 07:23:38 server kernel: [1958395.614371] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=1
FLOWLBL=799921 PROTO=UDP SPT=33199 DPT=33470 LEN=40

Feb 20 07:23:38 server kernel: [1958395.621421] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=2
FLOWLBL=936175 PROTO=UDP SPT=36273 DPT=33475 LEN=40

Feb 20 07:23:38 server kernel: [1958395.625245] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=5
FLOWLBL=847844 PROTO=UDP SPT=59324 DPT=33482 LEN=40

Feb 20 07:23:38 server kernel: [1958395.628840] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=2
FLOWLBL=522506 PROTO=UDP SPT=53712 DPT=33474 LEN=40

Feb 20 07:23:38 server kernel: [1958395.632462] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=4
FLOWLBL=646633 PROTO=UDP SPT=57141 DPT=33479 LEN=40

Feb 20 07:23:38 server kernel: [1958395.636041] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=2
FLOWLBL=216721 PROTO=UDP SPT=60674 DPT=33473 LEN=40

Feb 20 07:23:38 server kernel: [1958395.639592] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=5
FLOWLBL=302778 PROTO=UDP SPT=45472 DPT=33483 LEN=40

Feb 20 07:23:38 server kernel: [1958395.645099] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=4
FLOWLBL=129784 PROTO=UDP SPT=41730 DPT=33481 LEN=40

Feb 20 07:23:38 server kernel: [1958395.649408] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=1
FLOWLBL=390371 PROTO=UDP SPT=50364 DPT=33471 LEN=40

Feb 20 07:23:38 server kernel: [1958395.653535] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=3
FLOWLBL=548061 PROTO=UDP SPT=47717 DPT=33478 LEN=40

Feb 20 07:23:38 server kernel: [1958395.657159] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=1
FLOWLBL=47514 PROTO=UDP SPT=34200 DPT=33472 LEN=40

Feb 20 07:23:38 server kernel: [1958395.660976] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=5
FLOWLBL=239772 PROTO=UDP SPT=49783 DPT=33484 LEN=40

Feb 20 07:23:38 server kernel: [1958395.664690] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=4
FLOWLBL=257802 PROTO=UDP SPT=51034 DPT=33480 LEN=40

Feb 20 07:23:38 server kernel: [1958395.668221] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=3
FLOWLBL=347319 PROTO=UDP SPT=60236 DPT=33477 LEN=40

Feb 20 07:23:38 server kernel: [1958395.671956] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=3
FLOWLBL=536682 PROTO=UDP SPT=53405 DPT=33476 LEN=40

Feb 20 07:23:48 server kernel: [1958405.755487] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=6
FLOWLBL=56494 PROTO=UDP SPT=39096 DPT=33485 LEN=40

Feb 20 07:23:48 server kernel: [1958405.762238] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=7
FLOWLBL=10007 PROTO=UDP SPT=47928 DPT=33489 LEN=40

Feb 20 07:23:48 server kernel: [1958405.766908] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=7
FLOWLBL=136751 PROTO=UDP SPT=34544 DPT=33490 LEN=40

Feb 20 07:23:48 server kernel: [1958405.770951] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=6
FLOWLBL=220018 PROTO=UDP SPT=39336 DPT=33486 LEN=40

Feb 20 07:23:48 server kernel: [1958405.774836] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=8
FLOWLBL=498874 PROTO=UDP SPT=50944 DPT=33491 LEN=40

Feb 20 07:23:48 server kernel: [1958405.778823] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=6
FLOWLBL=117476 PROTO=UDP SPT=39267 DPT=33487 LEN=40

Feb 20 07:23:48 server kernel: [1958405.783049] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=7
FLOWLBL=11460 PROTO=UDP SPT=50828 DPT=33488 LEN=40

Feb 20 07:23:48 server kernel: [1958405.786886] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=10
FLOWLBL=327329 PROTO=UDP SPT=54927 DPT=33499 LEN=40

Feb 20 07:23:48 server kernel: [1958405.790681] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=11
FLOWLBL=689260 PROTO=UDP SPT=57259 DPT=33500 LEN=40

Feb 20 07:23:48 server kernel: [1958405.794821] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=8
FLOWLBL=150906 PROTO=UDP SPT=34453 DPT=33492 LEN=40

Feb 20 07:23:48 server kernel: [1958405.798514] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=9
FLOWLBL=783766 PROTO=UDP SPT=41696 DPT=33495 LEN=40

Feb 20 07:23:48 server kernel: [1958405.802479] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=10
FLOWLBL=1013488 PROTO=UDP SPT=35940 DPT=33497 LEN=40

Feb 20 07:23:48 server kernel: [1958405.806700] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=8
FLOWLBL=456363 PROTO=UDP SPT=53768 DPT=33493 LEN=40

Feb 20 07:23:48 server kernel: [1958405.810601] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=9
FLOWLBL=52591 PROTO=UDP SPT=37168 DPT=33494 LEN=40

Feb 20 07:23:48 server kernel: [1958405.814310] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=10
FLOWLBL=912499 PROTO=UDP SPT=57809 DPT=33498 LEN=40

Feb 20 07:23:53 server kernel: [1958410.760246] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=11
FLOWLBL=567943 PROTO=UDP SPT=56464 DPT=33501 LEN=40

Feb 20 07:23:53 server kernel: [1958410.764156] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=11
FLOWLBL=11694 PROTO=UDP SPT=38285 DPT=33502 LEN=40

Feb 20 07:23:53 server kernel: [1958410.764156] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=12
FLOWLBL=124984 PROTO=UDP SPT=57780 DPT=33503 LEN=40

Feb 20 07:23:53 server kernel: [1958410.764156] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=12
FLOWLBL=193935 PROTO=UDP SPT=50833 DPT=33504 LEN=40

Feb 20 07:23:53 server kernel: [1958410.764156] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=13
FLOWLBL=701362 PROTO=UDP SPT=52285 DPT=33506 LEN=40

Feb 20 07:23:53 server kernel: [1958410.764156] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=14
FLOWLBL=657721 PROTO=UDP SPT=39402 DPT=33511 LEN=40

Feb 20 07:23:53 server kernel: [1958410.764156] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=14
FLOWLBL=919852 PROTO=UDP SPT=33016 DPT=33509 LEN=40

Feb 20 07:23:53 server kernel: [1958410.764156] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=14
FLOWLBL=757851 PROTO=UDP SPT=35962 DPT=33510 LEN=40

Feb 20 07:23:53 server kernel: [1958410.764156] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=13
FLOWLBL=851818 PROTO=UDP SPT=52436 DPT=33508 LEN=40

Feb 20 07:23:53 server kernel: [1958410.764156] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=12
FLOWLBL=50426 PROTO=UDP SPT=42711 DPT=33505 LEN=40

Feb 20 07:23:53 server kernel: [1958410.764156] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=16
FLOWLBL=368192 PROTO=UDP SPT=56866 DPT=33515 LEN=40

Feb 20 07:23:53 server kernel: [1958410.764156] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=13
FLOWLBL=3978 PROTO=UDP SPT=36881 DPT=33507 LEN=40

Feb 20 07:23:53 server kernel: [1958410.764156] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=15
FLOWLBL=154833 PROTO=UDP SPT=39246 DPT=33513 LEN=40

Feb 20 07:23:58 server kernel: [1958415.764721] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=16
FLOWLBL=233573 PROTO=UDP SPT=53014 DPT=33517 LEN=40

Feb 20 07:23:58 server kernel: [1958415.771512] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=17
FLOWLBL=181185 PROTO=UDP SPT=37941 DPT=33518 LEN=40

Feb 20 07:23:58 server kernel: [1958415.777078] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=17
FLOWLBL=784996 PROTO=UDP SPT=40603 DPT=33520 LEN=40

Feb 20 07:23:58 server kernel: [1958415.781549] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=17
FLOWLBL=889366 PROTO=UDP SPT=40243 DPT=33519 LEN=40

Feb 20 07:23:58 server kernel: [1958415.786739] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=18
FLOWLBL=374378 PROTO=UDP SPT=55473 DPT=33523 LEN=40

Feb 20 07:23:58 server kernel: [1958415.792212] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=18
FLOWLBL=479797 PROTO=UDP SPT=35576 DPT=33522 LEN=40

Feb 20 07:23:58 server kernel: [1958415.797882] [MYFW BLOCK] IN=eth0
OUT= MAC=52:54:a2:01:b9:0e:d2:74:7f:6e:37:e3:86:dd
SRC=2001:0470:1f09:0a6f:021f:d0ff:fe27:a097
DST=xxxx:xxxx:xxxx:xxxx:0000:0000:0000:0002 LEN=80 TC=0 HOPLIMIT=18
FLOWLBL=848079 PROTO=UDP SPT=38600 DPT=33521 LEN=40

The host was blocked, but not fast enough:

2017-02-20 07:23:39,866 fail2ban.actions[1936]: WARNING [portscan] Ban 
2001:0470:1f09:0a6f:021f:d0ff:fe27:a097

2017-02-20 07:23:49,906 fail2ban.actions[1936]: INFO    [portscan] 
2001:0470:1f09:0a6f:021f:d0ff:fe27:a097 already banned

2017-02-20 07:23:54,911 fail2ban.actions[1936]: INFO    [portscan] 
2001:0470:1f09:0a6f:021f:d0ff:fe27:a097 already banned

2017-02-20 07:23:59,917 fail2ban.actions[1936]: INFO    [portscan] 
2001:0470:1f09:0a6f:021f:d0ff:fe27:a097 already banned

2017-02-20 08:19:08,778 fail2ban.actions[1936]: WARNING [portscan] Unban 
2001:0470:1f09:0a6f:021f:d0ff:fe27:a097

It looks like fail2bans response time ist not fast enough, the response
time seems to be 1-2 seconds.

Is there a way to also block these? Maybe some iptables rule limiting
those massive scans?


-- 
Mit besten Grüßen
Jochen Fahrner



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

[Fail2ban-users] Blocking portscans

Reply via email to