How to get a win app to tell Pfsense to block an ip?
-
Is it possible to have Pfsense check Windows Security log on a regular interval and see if someone has had to main failed logins, and if so block the IP automatically?
I know that i am getting in to IDS, but I am just after a simple system that can detect if someone is trying a brute force attack on RDP port, and if one IP have to many failed logins in a short time the IP would be blocked automatically.
-
After thinking on this for some time, i have concluded with that the best way to goahead with this is to create a "pfsensor" that are running as a service on the servers that I want to monitor. And if this "pfsensor" detects to many failed logins it sends a command to pfsense to block an IP.
So how would i get this app to tell PFsense to block an ip?
could i use a quick rule like -> Block 1.2.3.4 on wan ? -
It's tricky but not impossible, and not something I'd generally recommend.
If you have the dashboard package (or 2.0) installed, look at the "easyrule" code. You could script a process with a tool like wget that would login to the router and query that page with the right parameters which would add an alias/rule for blocked hosts.
-
If it is not recommended, is there any other way to solve this problem?
-
Not really, it's about the only way to do something like that.
In general, relying on external inputs to dynamically control firewall rules for arbitrary hosts is asking for trouble.
If something is worth protecting that much, control its access further and only make it available via VPN.
-
Good point jimp, thanks for your answers. ;D
Guess I have to force some clients on to VPN I Guess.