Hello,
I am building a filter rule that’s based on the Stage 1, Stage 2, Stage 3 RDP Brute Force BlackList dynamic that is widely found on the internet, but I am adding 3 BlackLists afterwards, not just 1. They are a 1 day, 1 month and a permanent ban. I am getting up to the 1 month ban with no issues but if I enable the permanent ban Filter Rule (which is the last one), I seem to trigger both (1 day and permanent ban) of them at the same time. Can you please shed some light on this issue? Here is my Filter setup:
add action=add-src-to-address-list address-list=blacklist_1d \
address-list-timeout=1d chain=forward comment=\
RDP_BlackList_1d connection-state=new dst-port=3389 log=\
yes protocol=tcp src-address-list=stage3
add action=add-src-to-address-list address-list=stage3 \
address-list-timeout=1m chain=forward comment=\
RDP_Stage_3 connection-state=new dst-port=3389 log=yes \
protocol=tcp src-address-list=stage2
add action=add-src-to-address-list address-list=stage2 \
address-list-timeout=1m chain=forward comment=\
RDP_Stage_2 connection-state=new dst-port=3389 log=yes \
protocol=tcp src-address-list=stage1
add chain=forward comment=RDP_IP_Whitelist connection-state=\
new dst-port=3389 log=yes protocol=tcp src-address-list=\
RDP_Whitelist_IP
add action=add-src-to-address-list address-list=stage1 \
address-list-timeout=1m chain=forward comment=\
RDP_Stage_1 connection-state=new dst-port=3389 log=yes \
protocol=tcp
Thanks in advance for your help!
Juan