Hi Chris, I'm not sure if this is exactly what you're looking for but, you can use the iptables "recent" module for this. It uses the connection tracking mechanism to keep track of a specified set of behavior and then will dynamically take action if certain match conditions are met. Example:
the rule below defines the type of packet that the recent module will track in the connection tracking table iptables -I INPUT -p tcp --dport 22 -i eth1 -m state --state NEW -m recent --set the rule below tells it what to do if the same match occurs the specified number of times within the specified time frame iptables -I INPUT -m recent --update --seconds 60 --hitcount 4 -j DROP So, these 2 rules will drop all traffic from a source address that has tried to SSH to this box 4 times within a 60 second period. If the source IP has backed off for over 60 seconds, the drop rule is removed. The values in the rules above are all configurable and you may be able to specify a time frame of two weeks, although I'm not entirely sure about that. We do have an enhancement request open to add this feature to the CLI: https://bugzilla.vyatta.com/show_bug.cgi?id=2224 In the mean time, you'll have to configure any "recent" module rules via iptables. Also, if you're only using iptables and have not added any nat or firewall rules via the CLI, be sure to remove the NOTRACK rules from the "raw" table. Thank you, Robyn Christopher Johnson wrote: > I have my systems set up to monitor authentication failures. I want > one system to be able to automatically add a firewall rule to deny a > particular IP address. In the best of all worlds, that firewall rule > would then expire at some time in the future. > > I.e. "Failed password for root from 35.8.1.1 <http://35.8.1.1> port > 38876 ssh2" is the logged message. (And no, nobody form MSU tried > this, just one of my test IPs from a very long time ago). > > What I'd like to do is an SSH to the OFR which would then add a > firewall rule that would expire in two weeks. > > ssh vyatta.example.com <http://vyatta.example.com> > /usr/local/bin/blockip 35.8.1.1 <http://35.8.1.1> 14 > > Any suggestions on what "blockip" might look like would be very nice. > > Thanks, > -Chris > > ------------------------------------------------------------------------ > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
