How to ban Syn Flood Attacks using Fail2Ban?

debian firewall iptables fail2ban syn

I came up with another solution for this and it seems to be working so far. Basically, I have written a filter that scans through the log and block all rogue IP addresses that has been dropped for various reasons in the given findtime. So this filter will block the IPs that has been dropped due to Syn, Xmas attacks, Port scan, etc. - whatever is listed in your iptables rules. In order words, it blocks the ones which keeps showing up in iptables block list for various reasons.

Jail.local

[iptables-dropped]

enabled = true
filter = iptables-dropped
banaction = iptables-allports
port = all
logpath = /var/log/messages
bantime = 1800
maxretry = 3

FILTER: iptables-dropped.conf

[Definition]
failregex = IPTables Dropped: .* SRC=<HOST>
ignoreregex =

Make sure you log the dropped IPs like this in the iptables rules so the above filter works:

# log iptables denied calls (access via 'dmesg' command) to /var/log/messages file
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 5/min -j LOG --log-prefix "IPTables Dropped: " --log-level 4
iptables -A LOGGING -j DROP

The above seems to work for me.

Related

Accessing IP restricted server from dynamic IP
Is timesync still required for Windows Server 2012 R2?
gzip compression doesn't work in nginx reverse proxy setup
Is it realistic to run Windows Server 2008 with 1GB of RAM?
Restart webserver without entering a password? [duplicate]
How to compile the kernel with debug symbols? [closed]
Network freezes with KVM/libvirt and ip_forward = 1
Effectively handling 2+ million files
Howto Nginx + git-http-backend + fcgiwrap (Debian Squeeze)
How to create salt from pillar using saltstack?
Nginx: route to index.php within alias for specific path component
How to run script on first boot?