I have some firewall filter rules to limit login attempts on a FTP server behind the router. The rules are
Code: Select all
add action=drop chain=forward comment="drop FTP bruteforcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=1w chain=forward comment="FTP bruteforcers to list" \
content="530 Login incorrect" dst-address-list=ftp_2nd_fail protocol=tcp
add action=add-dst-to-address-list address-list=ftp_2nd_fail \
address-list-timeout=1w chain=forward content="530 Login incorrect" \
dst-address-list=ftp_1st_fail protocol=tcp
add action=add-dst-to-address-list address-list=ftp_1st_fail \
address-list-timeout=1w chain=forward content="530 Login incorrect" \
protocol=tcp
I mean, when there is a first incorrect login, the destination IP is added to ftp_1st_fail address list, but when the same IP tries another login and fails, this IP is added to ftp_2nd_fail, but also again in ftp_1st_fail, meaning the timeout is set again to 1 week.
How is it that and how, if possible, can i prevent this from happening?
Thank you.