IPTables "--SIGNAL"

Brute Force and denial of service attacks are inter-related. Products are available out there for DDOS protection. Microsoft has also realized that these attacks happen to work in real and released a tool: Denial-of-Service and Brute Force Attacks Thwarted by Free Microsoft Software

IPTables is so far the best solution to this problem, or should I say could have been, if it had a function to send a signal or write to a pipe instead of --LOG which works well for a idle cpu. I wrote a perl daemon that keeps track of incoming TCP connects and their hit frequency, here is a sub for SSH:

# IPTables specific variables
my $IPT_DEV = "eth0";
my $IPT_FLOW = "INPUT";
my $IPT_PROTO = "tcp";
my $IPT_PORT = 22;# SSH
my $IPT_FREQ = 30;# Frequency of connection attempts in seconds
my $IPT_HITCNT = 4;# Hit count during IPT_FREQ
my $IPT_ACTION = "DROP";
my $IPT_BAN_WINDOW = 600; # Seconds
my $IPT_LOG_PREFIX = "--Brute_Force_Attack-- ";
my $IPT = "/sbin/iptables";
my $IPTSAVE = "/sbin/iptables-save";
my $IPTRESTORE = "/sbin/iptables-restore";
my $IPTFILEDIR = "/etc/sysconfig";
my $IPTFILE = "$IPTFILEDIR"."/iptables.saved";
my $IPTLOGFILE = "/var/log/messages";

sub bf_iptables_init {
system ("$IPT -A $IPT_FLOW -i $IPT_DEV -p $IPT_PROTO --dport $IPT_PORT -m state --state NEW -m recent --set --name SSHBF");

system ("$IPT -A $IPT_FLOW -i $IPT_DEV -p $IPT_PROTO --dport $IPT_PORT -m state --state NEW -m recent --update --seconds $IPT_FREQ --hitcount $IPT_HITCNT --rttl --name SSHBF -j LOG --log-prefix \"$IPT_LOG_PREFIX\"");

system ("$IPT -A $IPT_FLOW -i $IPT_DEV -p $IPT_PROTO --dport $IPT_PORT -m state --state NEW -m recent --update --seconds $IPT_FREQ --hitcount $IPT_HITCNT --rttl --name SSHBF -j $IPT_ACTION");

system ("$IPT -A $IPT_FLOW -i $IPT_DEV -p $IPT_PROTO -m recent --name SSHBF --rdest --rcheck --seconds $IPT_BAN_WINDOW -j $IPT_ACTION");

# Save IPTables Rules
system ("$IPTSAVE > $IPTFILE");
}

The problem with this approach is:
- Constantly probes logfile(s), issues:
1- It consumes CPU cycles to an unwanted extent in busy environments
2- Probability for a MISS does exist (not sure as to what level
though), delay if not MISS.

There should be a distributed system where the entry for a blocked host on one system is replicated to all other servers or trigger the peer firewall.

Suggested Techniques:
1- Patch IPTables core for triggering an ADDITIONAL soft interrupt
instead of "--LOG", BFD daemon receives the interrupt
OR
2- Patch IPTables core for raising a custom defined SIGNAL instead of
"--LOG", I would prefer that
OR
3- Patch IPTables core for writing to an exported SHM (shared memory)
space for BFD to read from, better/efficient than reading through
text log files.
OR
4- Patch IPTables core for writing to an Async FIFO/Pipe and BFD
reads from it, slowest but still better than reading the log file

Patching will be required since IPTables does not support any of the
above mechanisms.