Combine PSAD and IPSET to block attackers

This is a very basic implementation that combines our psad setup (see this post ) and ipset (see this other post). There is an interesting feature on psad that logs the top attackers, you can find the file under /var/log/psad/top_attackers and looks like this:

 as you can see it’s nor a pretty list of IPs line by line as we would like to have but it has the extra values of total packets, uniq sigs and other stuff that cannot be interpreted by ipset, ipset will only check ip addresses (or entire networks) line by line so what do we do? we just need to make a little script for it

The consept is to take the top attackers reported by psad and block them forever with ipset! so first thing to do is get a clean list of IPs from the /var/log/psad/top_attackers. Using grep and regular expressions this simple line give us what we want:

 Cool! now we have a clean list of IPs, next step is to add that to an ipset list with a for loop (check the ipset post) , save the ipset configuration and a log with the blocked IPs and finally let us know via email, so here’s the script I use for it, pretty simple as my bash scripting skills are not great (yet!).

 The script is basic but so far it does what I want! all I do next is schedule a monthly cron job that runs the script. In case the list of attackers hasn’t changed at all don’t worry, when ipset tries to add the IPs that are already in the list it’ll just skip it (actually give you a warning sayint the ip is already there but it won’t stop the script from adding the ones that are not).


Any comments? con tac me (_a t )dr0 m

Use under your own risk!