Hi All,
OK not really a script, but I thought it may be in the same flavour. I created this Dynamic Blacklist firewall rule set that counts excessive connection attempts from the same IP within a given time frame and eventually blocks them for X number of days. I was initially going to put in a geo-fence for service brute forcers but i found this to be quite effective instead and not limited geographic attackers. Basically it will start counting any IP you send it via the port/protocol parameters in the first jump rule. You can have more than one jump feeding into the list from different chains.
This example is setup to guard SSH for multiple connection attempts. The time outs can be changed to suit your needs but this will block any IP that averages 3 connection attempts within 5 mins.
add chain=forward action=jump jump-target=dynamic_blacklist protocol=tcp dst-port=22 log=no log-prefix="" comment="Check intruders in "Dynamic_blacklist" chain"
add chain=dynamic_blacklist action=drop src-address-list=bl_blacklist log=no log-prefix="DYNAMIC BLACKLIST IP" comment="drop brute forcers" disabled=no
add chain=dynamic_blacklist action=add-src-to-address-list connection-state=new src-address-list=bl_stage3 address-list=bl_blacklist address-list-timeout=5d log=no log-prefix=""
add chain=dynamic_blacklist action=add-src-to-address-list connection-state=new src-address-list=bl_stage2 address-list=bl_stage3 address-list-timeout=5m log=no log-prefix=""
add chain=dynamic_blacklist action=add-src-to-address-list connection-state=new src-address-list=bl_stage1 address-list=bl_stage2 address-list-timeout=7m log=no log-prefix=""
add chain=dynamic_blacklist action=add-src-to-address-list connection-state=new address-list=bl_stage1 in-interface-list=WAN address-list-timeout=10m log=no log-prefix=""
add chain=dynamic_blacklist action=return log=no log-prefix="" comment="Return to the chain that jumped into dynamic_blacklist chain" disabled=no