Configuration Strategies - penguinpowernz/scanban GitHub Wiki

This page covers the methods you may configure on your system to help scanban work better, but that are outside of the scope or purview of the scanban tool itself. It is highly recommended that you install the ipset package on your system and use it. This makes banning large amounts of IPs more efficient for the firewall.

Tarpitting

Taken from: https://gist.github.com/flaviovs/103a0dbf62c67ff371ff75fc62fdded3 so please see that for a more complete explanation.

Iptables(8) TARPIT is a useful security mechanism that can slow down or stop attacks on a network. If everyone used TARPIT to block attackers, in theory their resources would be exhausted as their connection attempts would be delayed, which would discouraged people from attempting unauthorized access.

These are the steps you would take to setup the tarpit marking:

MARK=8
iptables -t raw -A PREROUTING -m mark --mark $MARK -j NOTRACK
iptables -N BLACKLIST
iptables -A BLACKLIST -p tcp -j TARPIT
iptables -A BLACKLIST -j DROP
iptables -I INPUT 1 -m mark --mark $MARK -j BLACKLIST

If you want to use ipset, which is greatly recommended, take this step to create the scanban IP set and configure it to be tarpitted:

MARK=8
ipset create scanban hash:ip
iptables -t raw -A PREROUTING -m set --match-set scanban src -j MARK --set-mark $MARK

Then you could use these actions to put IPs into the tarpit:

[actions]
# tarpit = "iptables -t raw -A PREROUTING --src $ip -j MARK --set-mark $MARK"
# untarpit = "iptables -t raw -D PREROUTING --src $ip -j MARK --set-mark $MARK"
tarpit = "ip set add scanban $ip"
untarpit = "ip set del scanban $ip"

Normal blocking using IP Set

We can use just normal blocking instead of a tarpit using ipset to be more efficient:

ip set create scanban hash:ip
iptables -A INPUT -m set --match-set scanban src -j DROP

Now you can use the ipset in the actions section of the scanban.toml:

[actions]
ipsetblock = "ipset add scanban $ip"
ipsetunblock = "ipset del scanban $ip"