Combine PSAD and IPSET to block attackers

This is a very basic implementation that combines our psad setup (see this post ) and ipset (see this other post). There is an interesting feature on psad that logs the top attackers, you can find the file under /var/log/psad/top_attackers and looks like this:

 as you can see it’s nor a pretty list of IPs line by line as we would like to have but it has the extra values of total packets, uniq sigs and other stuff that cannot be interpreted by ipset, ipset will only check ip addresses (or entire networks) line by line so what do we do? we just need to make a little script for it

• • •