I use foomuuri firewall written by Kin Heino of BBBS fame. Excellent firewall using ntables
I have a very simple script that reads the dmesg and collates the firewall dropped connections.
=-=-=-=-=-=
#!/bin/sh
dmesg | grep -o "SRC=[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+" | grep -Ev "SRC=192\.168\.40\.[[:digit:]]{1,3}$"|grep -Ev "SRC=192\.168\.1\.[[:digit:]]{1,3}$" |grep -Ev "SRC=194\.36\.65\.41$" | sort | uniq -c | sort -n
=-=-=-=-=-=
This gives the following:
3 SRC=103.252.165.86
3 SRC=106.15.59.138
3 SRC=122.97.136.53
3 SRC=178.197.195.1
3 SRC=196.191.104.17
3 SRC=5.178.99.30
3 SRC=52.221.196.121
4 SRC=209.9.203.104
8 SRC=169.254.102.203
These are live and if they go over 15, I add them to a list that foomuuri reads and then blocks them permanently.
This is what has been stopped by my list in the last 19 hours
counter tcob1 {
packets 1437 bytes 86092
}
I have other lists as well but mine is the most active. I know I could achieve the same with fail2ban but I find this easier.
Sean
... TCOB1:
https://binkd.rima.ie telnet: binkd.rima.ie
--- BBBS/LiR v4.10 Toy-7
* Origin: TCOB1: https/binkd/telnet binkd.rima.ie (86:553/20)