How block brute force attack from specific country

Yesterday I came across some suspicious traffic from multiple IP addresses to a country who we cant trust. After check it more deep, i found that several trafick just do bruteforce attack to my server. 

of course this will melt when blocking one by one the ip address, and I want all traffic from ipadress originating from that country to be blocked directly and automatically without having to patch one by one into iptables, and allows opening the block quickly if needed later.

if you have some problem like me, you can follow my steps below.

Before starting

It is assumed that you are using a CentOS 7 server already having iptables and ipset installed. Run the following command in order to double check the availability of the packages:

yum list ipset iptables ipset-service iptables-services

In case all are listed under "Installed Packages" section, you can proceed forward. Otherwise, just install the missing packages.

yum install ipset iptables ipset iptables ipset-service iptables-services

Step-by-step guide

  1. Download the script.

  2. Install the required perl libraries using the following command. As one of them is available only on EPEL, the EPEL Repository must be added first:

    yum install epel-release perl-libwww-perl perl-Locale-SubCountry

  3. Edit the script and specify which countries you want to block. The list of countries is available here.

    my @countries = (
  4. Run the script:

    The default policy is set to reject. The iptables rules for the above example look like this:

    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    REJECT     all  --              match-set Turkey src reject-with icmp-host-unreachable
    REJECT     all  --              match-set Saudi_Arabia src reject-with icmp-host-unreachable
    REJECT     all  --              match-set Palestinian_Territory_Occupied src reject-with icmp-host-unreachable

    If you want to add the iptables rules with ACCEPT or DROP instead of reject, you can call the script with -p parameter.

    perl -p drop
    It will add the iptables rule as follows:

    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    DROP	   all  --              match-set Turkey src
    DROP	   all  --              match-set Saudi_Arabia src
    DROP	   all  --              match-set Palestinian_Territory_Occupied src

    Daily refresh of the IP sets can be done via a cronjob like the one below:

    * 1 * * * /usr/bin/perl /<path_to_the_script>/ -r > /dev/null 2>&1

    Replace <path_to_the_script> with the actual path toward the script.

    If you need to flush the existing rules and destroy all the IP sets available, use the parameter -f like this:

    perl -f
    Just answer Yes or Y and all the rules and sets will be removed.

  5. To preserve the rules during reboots, run the following command:

    service iptables save && service ipset save

Make sure you do not mix up the countries, otherwise you might get yourself blocked.

To avoid such issues, it is recommended to start with a cronjob that will remove the rules. If no issues arise, the cronjob can be removed.

Source and Reference : 

How block brute force attack from specific country How block brute force attack from specific country Reviewed by ilham.sp on December 30, 2020 Rating: 5

No comments:


This site uses cookies from Google to deliver its services, to personalise ads and to analyse traffic. Information about your use of this site is shared with Google. By using this site, you agree to its use of cookies.Learn More

Powered by Blogger.