I have noticed in my logs continuous connection attempts using pptp to my core network. How would I detect too many failed attempts and then block them??

It is not possible to block specific failed attempts (let say block after 10 unsuccessful PPTP logins).

Is there not a way to add their IP to a address list based on the type of information in the log??

This is the message I see in our logs:

09:26:42 pptp,ppp,info <pptp-0>: waiting for call...
09:26:42 pptp,ppp,info <pptp-0>: terminating... - cntrl message too big
09:26:42 pptp,ppp,info <pptp-0>: disconnected
09:27:50 pptp,info TCP connection established from 71.195.57.178
09:27:50 pptp,ppp,info <pptp-0>: waiting for call...
09:27:50 pptp,ppp,info <pptp-0>: terminating... - cntrl message too big
09:27:50 pptp,ppp,info <pptp-0>: disconnected
09:28:53 pptp,info TCP connection established from 71.195.57.178
09:28:53 pptp,ppp,info <pptp-0>: waiting for call...
09:28:53 pptp,ppp,info <pptp-0>: terminating... - cntrl message too big
09:28:53 pptp,ppp,info <pptp-0>: disconnected
09:29:59 pptp,info TCP connection established from 71.195.57.178
09:29:59 pptp,ppp,info <pptp-0>: waiting for call...

I set it to allow a certain connection rate from an ip, then move said up to an address list that restricts it further, then to an address list that blocks it for an hour.

Not with pptp, but with SSH connections. Same diff, though. Doesnt know if the attempt failed, but if it was succesful, you arent going to have 10 new connections per minute.

Would you mind posting the rule for that??

add action=accept chain=input comment="SSH to box from everywhere." connection-state=new disabled=no dst-address=216.161.237.201 dst-port=22 in-interface=e1_Wan limit=2/1m,0 protocol=tcp


---->> limit=2/1m

This limits 2 new connection per 60 seconds. Keep scripties from hammering my ssh.

Sweet! Thanks!

I jump based on dest address to different chains for each server, thats what the www-in is. It is really a forward, but could be an input. I "team" the rules together for each service so all of my severs that use SSH are subject to the same blocking/limiting.

add action=jump chain=forward comment="***Drop Allow2block***" disabled=no in-interface=ether1 jump-target=drop src-address-list=allow2block
add action=jump chain=input comment="" disabled=no in-interface=ether1 jump-target=drop src-address-list=allow2block
add action=jump chain=www-in comment="" connection-state=new disabled=no dst-port=22 jump-target=allow2blocklist protocol=tcp
add action=accept chain=allow2blocklist comment=";;;;;;ALLOW 2 BLOCK" disabled=yes
add action=accept chain=allow2blocklist comment="" disabled=no limit=10/1m,20
add action=add-src-to-address-list address-list=allow2block address-list-timeout=1d chain=allow2blocklist comment="" disabled=no
add action=jump chain=allow2blocklist comment="" disabled=no jump-target=drop
add action=log chain=drop comment="" disabled=no log-prefix=""
add action=drop chain=drop comment="" disabled=no

This allows 10 new connections per minute for SSH, then adds them to a 1 day block-list that blocks ALL services. When someone is SSHing in that many times, they are malicious and I dont care if they can access my systems at all.