Use ipsets for cool off period

roles/firewall/defaults/main.yaml

@@ -46,6 +46,8 @@ firewall_limit_ssh_hitcount: 10
 firewall_bogon_interface: "{{ ansible_default_ipv4.interface }}"
 
 # ipset's
+firewall_ipset_scanner_timeout: 600
+
 firewall_ipset_blacklist: {}
 
 firewall_ipset_mgmt: {}

roles/firewall/templates/ip6tables.j2

@@ -17,7 +17,8 @@
 -N LIMIT_SSH
 -A LIMIT_SSH -m recent --set --name SSH --rsource
 -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j LOG --log-prefix "[iptables SSH BRUTE] " --log-level info
--A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount}} --name SSH --rsource -m comment --comment "rate limit ssh 22/tcp6" -j REJECT --reject-with tcp-reset
+-A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -j SET --add-set cooloff_v6 src
+-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v6 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
 -A LIMIT_SSH -j ACCEPT
 {% endif %}
 

roles/firewall/templates/ipset.v4.j2

@@ -1,5 +1,5 @@
-{% macro render_ipset(ipset, name, type="hash:net", family="inet") %}
-create {{ name }} {{ type | default('hash:net') }} family {{ family }} counters -exist
+{% macro render_ipset(ipset, name, type="hash:net", family="inet", timeout=None) %}
+create {{ name }} {{ type | default('hash:net') }} family {{ family }} counters {% if timeout %}timeout {{ timeout }}{% endif %} -exist
 flush {{ name }}
 {% for ip_or_net in ipset | default([]) %}
 add {{ name }} {{ ip_or_net }}
@@ -11,3 +11,5 @@ add {{ name }} {{ ip_or_net }}
 {{ render_ipset(firewall_ipset_blacklist.v4, 'blacklist_v4') }}
 
 {{ render_ipset(firewall_ipset_bogons.v4, 'bogons_v4') }}
+
+{{ render_ipset([], 'cooloff_v4', type="hash:ip", timeout=firewall_ipset_scanner_timeout) }}

roles/firewall/templates/ipset.v6.j2

@@ -1,5 +1,5 @@
-{% macro render_ipset(ipset, name, type="hash:net", family="inet6") %}
-create {{ name }} {{ type | default('hash:net') }} family {{ family }} counters -exist
+{% macro render_ipset(ipset, name, type="hash:net", family="inet6", timeout=None) %}
+create {{ name }} {{ type | default('hash:net') }} family {{ family }} counters {% if timeout %}timeout {{ timeout }}{% endif %} -exist
 flush {{ name }}
 {% for ip_or_net in ipset | default([]) %}
 add {{ name }} {{ ip_or_net }}
@@ -11,3 +11,5 @@ add {{ name }} {{ ip_or_net }}
 {{ render_ipset(firewall_ipset_blacklist.v6, 'blacklist_v6') }}
 
 {{ render_ipset(firewall_ipset_bogons.v6, 'bogons_v6') }}
+
+{{ render_ipset([], 'cooloff_v6', type="hash:ip", timeout=firewall_ipset_scanner_timeout) }}

roles/firewall/templates/iptables.j2

@@ -17,7 +17,8 @@
 -N LIMIT_SSH
 -A LIMIT_SSH -m recent --set --name SSH --rsource
 -A LIMIT_SSH -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m limit --limit {{ firewall_log_limit }} --limit-burst {{ firewall_log_limit_burst }} -j LOG --log-prefix "[iptables SSH BRUTE] " --log-level info
--A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
+-A LIMIT_SSH -p tcp -m tcp -m recent --update --seconds {{ firewall_limit_ssh_seconds }} --hitcount {{ firewall_limit_ssh_hitcount }} --name SSH --rsource -j SET --add-set cooloff_v4 src
+-A LIMIT_SSH -p tcp -m tcp -m set --match-set cooloff_v4 src -m comment --comment "rate limit ssh 22/tcp" -j REJECT --reject-with tcp-reset
 -A LIMIT_SSH -j ACCEPT
 {% endif %}