Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    how to get IP Attacker into the blocklist

    Scheduled Pinned Locked Moved IDS/IPS
    50 Posts 9 Posters 8.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ezvink @bmeeks
      last edited by

      @bmeeks
      I've tried option 1 but still the port forward that I made doesn't work and the attacker can't even connect to the webserver, is there something wrong with the port forward that I made? (192.168.3.5) is the IP of the webserver.
      16dcba2d-a3e3-4431-b221-817404385f14-image.png
      410ab346-55bd-4330-9fc9-b01332bdb5e6-image.png

      and I've also tried option 2, I've made a passlist and the IP I input is ip 192.168.18.0/24(wan ip) 192.168.3.0/24(webserver ip) but that also doesn't work sir, and when I look at the view list IP 172.16.1.0/24(attacker) is still registered even though I've changed it to a passlist that I created
      105dddc9-64dc-472c-83cd-46730f2c0609-image.png
      f72faadf-fcbd-4606-94dc-2bcbb07c3e62-image.png
      5b100888-b38b-4f23-8a01-b969db90b92a-image.png

      Cool_CoronaC 1 Reply Last reply Reply Quote 0
      • Cool_CoronaC
        Cool_Corona @ezvink
        last edited by

        @ezvink Youre doing it wrong...

        As I said you need to use WAN address as destination and HTTP as protocol.

        Not 192.168.3.5

        And redirect to 192.168.3.5 using HTTP

        E 1 Reply Last reply Reply Quote 0
        • E
          ezvink @Cool_Corona
          last edited by

          @cool_corona said in how to get IP Attacker into the blocklist:

          As I said you need to use WAN address as destination and HTTP as protocol.
          Not 192.168.3.5
          And redirect to 192.168.3.5 using HTTP

          I have also done that, sir, for destination I use "wan address" and redirect "192.168.3.5" but it still works, sir.

          I saw a tutorial on youtube, that the firewall settings from the ISP also had an effect, he set the firewall on the ISP webgui he was using to low so that permission to portforward could be done. does it affect me using a virtual machine? what i watch is he uses pfsense hardware sir and mikrotik

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @ezvink
            last edited by johnpoz

            @ezvink what are the rules on your wan? Out of the box rfc1918 is blocked, so you could port forward all day long and it would never work if the source is rfc1918. Which it is in your setup.

            edit:
            Also, what IP are you sending your traffic too? Once you setup the port forward, your traffic you send from your hping will be to the pfsense wan ip, not the 3.5 server behind pfsense.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            E 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @ezvink :
              Go read the official pfSense documentation here for instructions on configuring a port forward: https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html. As @Cool_Corona mentioned, you are doing it incorrectly.

              And as @johnpoz stated, be sure that you are not blocking RFC1918 addresses on the WAN interface for this test. You configure that on the bottom of the page from the pfSense menu INTERFACES > WAN.

              1 Reply Last reply Reply Quote 0
              • E
                ezvink @johnpoz
                last edited by

                @johnpoz
                I left this setting by default sir, so which one should I uncheck? both of them?
                6d083f98-1e28-4347-b535-113461da93fb-image.png

                1 Reply Last reply Reply Quote 0
                • E
                  ezvink
                  last edited by

                  I use port forward like this, and the attacker can access the web server using the same network "bridge adapter" as the pfsense WAN adapter.
                  but when i try to ping the webserver ip it can't, because my portforward setting is TCP not ICMP. it's like that right sir?

                  Well, but when I tried to attack the webserver's ip address, there was no warning that appeared on Suricata, what do you think is the problem, sir?
                  f4c9be55-d833-429d-9ad0-985b92ba7221-image.png
                  7dbb38b1-baa7-4fb0-bef0-b5b1fea5bf16-image.png
                  b24d36bd-e6d9-4898-8b2e-8e8fbe8d1c54-image.png

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @ezvink
                    last edited by

                    @ezvink dude just take the F, there is no way you pass this "exam" ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    E 1 Reply Last reply Reply Quote 1
                    • E
                      ezvink @johnpoz
                      last edited by

                      @johnpoz
                      Isn't this forum to help those in trouble, right, sir?

                      johnpozJ E 2 Replies Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @ezvink
                        last edited by johnpoz

                        @ezvink we have been trying for what weeks.

                        You are asked if you are blocking rfc1918, and where to turn it off - but then you ask which one to check. Which one of those do you think blocks rfc1918? Do you think you have any need to block bogon? How would bogon be source into your wan on a specific network?

                        Your rule you posted clearly states TCP, but then you ask if your sending icmp? How would we know your the one using hping.. How did your rule trigger before if you were sending icmp?

                        Asked to see your wan rules - no posting..

                        Did you modify ips to listen on the wan port now?

                        Your passlist shows 192.168.18/24 - did you remove that?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        E 1 Reply Last reply Reply Quote 0
                        • E
                          ezvink @johnpoz
                          last edited by

                          @johnpoz
                          like this sir my wan settings
                          1ba97f91-6a0f-48e6-aac0-76d634c4d403-image.png
                          8abe589d-466a-4f7c-84e7-429e59c97191-image.png
                          eabdd700-2510-48ac-b248-1854469a29de-image.png

                          1 Reply Last reply Reply Quote 0
                          • E
                            ezvink @ezvink
                            last edited by

                            @ezvink
                            on ips I only add opt1(webserver) interface only
                            I also didn't delete it, I left it the default sir

                            P 1 Reply Last reply Reply Quote 0
                            • P
                              Patch @ezvink
                              last edited by

                              @ezvink If you want some one to do your assignment for you then just pay some one to do it.
                              If you want to learn to be an IT professional then learn how to do research and test systems your self.

                              @johnpoz said in how to get IP Attacker into the blocklist:

                              dude just take the F, there is no way you pass this "exam" ;)

                              agree

                              @ezvink said in how to get IP Attacker into the blocklist:

                              Isn't this forum to help those in trouble, right, sir?

                              The forum is not here to do your assignment for you.

                              You may not like the honest assistance you have received however if you want technical ability rather then just a grade for an assignment you are not doing, then it is actually more valuable than the many technical pointers you have been given.

                              1 Reply Last reply Reply Quote 1
                              • E
                                ezvink @bmeeks
                                last edited by

                                @bmeeks
                                Thank you sir, because of your suggestion the project I am working on can run well. thanks again sorry if i confused you

                                GertjanG 1 Reply Last reply Reply Quote 0
                                • GertjanG
                                  Gertjan @ezvink
                                  last edited by

                                  @ezvink

                                  Before attacking, finish first the basic setup.
                                  I mean, this :
                                  280752bf-fc28-46a5-9ebc-57bf45fe5329-image.png

                                  is not done any more.
                                  http over port 80 is something of the past, as all traffic passes very visible over the internet. That the opposite of 'security'.
                                  Google, for example, won't index http sites any more. Browsers start to show warnings when http is used.
                                  The solution has been found a decade ago : use https over port 443.
                                  So, add a new NAT rules, same settings as the "port 80 rule", but now you use port 443.
                                  And do not forget to tell apache2 that it should listen port 443 also.
                                  And consider disabling port 80 (http) functionality all together - and if you do, ditch the port 80 pfSense NAT rule.

                                  When done, you can start thinking about 'security'.
                                  One of the best starting points would be : leave the /var/www/html/ folder empty, just keep the index.html file and don't edit it.
                                  Do not install "PHP" (Java, whatever) as this would open up a whole new set of angle of attacks.

                                  No "help me" PM's please. Use the forum, the community will thank you.
                                  Edit : and where are the logs ??

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.