Ubuntu: Drop packets per ip if more than a threshold of hits from the ip is reached


Now I want to block an ip (or drop packets sourcing from an ip) if the ip hits my host for say 5 request in a min. How to do so? Can you point me to what tool or command to read about in regard to the stated issue?

After searching, I came across iptables with -m limit module. But this doesn't consider IP address. Meaning, if I set the limit to 5 on port 22 for 5 hits per 60 seconds, this will prevent connections if 5 hits hit the server regardless the source ip (whether that a single ip or 5 different machines). I also came across tc to shape the traffic bandwidth but I wasn't sure if it's the tool I should be looking at.

Please help me out by posting links along with your solution. I always love to read more.

Thanks in advance.

UPDATE: I can't use fail2ban here as fail2ban requires the existence of date and time in some known format in the logs. This is not the case for the logs of freeswitch.


Okay, I was able to find an answer to my question and I'm sharing this here for others to benefit from (even though the number of views doesn't say so :) ).

My solution utilizes iptables and fail2ban to solve the issue in question.

  1. Get your firewall up and running. Don't forget to open the ports required by freeswitch to carry out successful VoIP operations:

    firewall-cmd --add-port=5080-5081/tcp --add-port=5060-5061/tcp --add-port=5066/tcp --add-port=8080-8082/tcp --add-port=7443/tcp --add-port=16384-32768/udp  

This step alone filters out lots of attacks as most of them are over udp on the tcp-expected ports.

  1. Ask iptables to store the tcp connections related info when connecting to the signaling ports:

    iptables -I INPUT 5 -i eth0 -p tcp -m multiport --dports 5080,5081,5060,5061,7443,5066,8080:8082 -m recent --set --name FREESWITCH_BADGUY -j ACCEP  iptables -I INPUT 5 -i eth0 -p tcp -m recent --update --hitcount 1 --seconds 120 --name FREESWITCH_BADGUY -j LOG --log-prefix "FREESWITCH BAD: " --log-level info  

Note the index/order 5 in the INPUT chain. I used 5 because it was just before the rules to accept connections on the listed ports (from the commands in the first step). So, you should put them anywhere before the rules from the first step but after the fail2ban ssh rules.

  1. Create a new fail2ban filter at /etc/fail2ban/filter.d/freeswitch-customized.conf:

    [Definition]    failregex = FREESWITCH BAD.*SRC=<HOST>    ignoreregex =  
  2. Add the following to /etc/fail2ban/jail.local: (Change the logpath to the system log file. Mine was /var/log/messages. But it can be in your case, for example, /var/log/syslog).

    [freeswitch-customized]    enabled = true  port = 5060,5061,5080,5081,7443,5066  logpath = /var/log/messages  filter = freeswitch-customzied  
  3. Restart fail2ban:

    systemctl restart fail2ban  

This worked for me.

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »