In case you want to ban IP addresses based on Suricata fast.log, here is the filter you need:
[INCLUDES] before = common.conf [DEFAULT] _daemon = suricata [Definition] datepattern = ^%%m/%%d/%%Y-%%H:%%M:%%S failregex = <HOST>:[0-9]* -> ignoreregex =
In the jail configuration, I suggest you change the default blocktype from REJECT to DROP.
Edit 2023-03-24: you may want to use the action
iptables-ipset-proto6-allports which leverages ipset. It will make your iptables rules much more readable and according to some sources, faster. Just edit your
jail.conf and replace the default
banaction_allports entry with i
ptables-ipset-proto6-allports , or explicitly mention
iptables-ipset-proto6-allports in the jail configuration of suricata, like so:
[suricata] enabled = true filter = suricata logpath = /var/log/suricata/fast.log findtime = 3h action = iptables-ipset-proto6-allports
If you want to match input and forwarding traffic, you can have multiple actions. However, you need to name them differently like so:
[suricata] enabled = true filter = suricata logpath = /var/log/suricata/fast.log findtime = 3h action = %(banaction_allports)s[actname="suricata_i", chain="INPUT"] %(banaction_allports)s[actname="suricata_f", chain="FORWARD"]
Edit 2023-03-24: initial text, I prefer using ipset to the following.
You should also create a custom action to apply to all protocols and ports:
[INCLUDES] before = iptables-common.conf [Definition] actionstart = <iptables> -N f2b-<name> <iptables> -A f2b-<name> -j <returntype> <iptables> -I <chain> -j f2b-<name> actionstop = <iptables> -D <chain> -j f2b-<name> <actionflush> <iptables> -X f2b-<name> actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]' actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype> [Init]
You should now be all set to block all the IP addresses that Suricata finds.