I am trying to set up a hotspot, but would like to block users (mac-addresses) who keep connecting and trying to log in.
I knw I could set up a progessive set of adress-lists (like the ssh_blacklist example), but I need suggestins
on how to add the users to the blacklists in the first place.
one idea would be to detect a user's first HTTP SYN packet and add him to the stage-3 if n stage-2, t stage-2 if on stage-1, to stage-1 if not on any list or on the whitelist). allw anyone who is on the whitelist. block any user who is on stage-3 from connecting at all.
add a user to a whitelist if successfully authenticated (longish timeout)
have a script to remove users from stage-3 if they are n the whitelist.
is this workable? any better ideas?
I know that real attackers could fudge their mac-addresses, so next i'd need a way to detect overall high-rate of incoming hotspot connections and to maybe then overall ratelimits access (this is really for a small family-type setup, so no high usage is envisioned in teh first place)
has anyone does this before?