How to *TOTALLY* block an ip that shows in firewall logs as blocked?
-
Hi Everyone,
I get attacks that come from same IPs to different ports. Is there any way that I can simply drop ALL packets from an IP regardless of what port/protocol they use after they are logged as block in my firewall? Basically, the package would continuously check the firewall logs and see if an IP was ever blocked for any port and if it was then drop any future packets from that IP to ANY port.
Thanks,
-
I don't know of anything that would do that. Snort might get you close. It won't watch the logs, but it will monitor inbound traffic and if it matches hacking attempts, it will block it for a user defined period of time (includes perma-blocking).
-
Pfblocker?
-
pfBlocker assumes you are going to setup the blocks and does not auto set any block rules based on logs.
-
I get attacks that come from same IPs to different ports. Is there any way that I can simply drop ALL packets from an IP regardless of what port/protocol they use after they are logged as block in my firewall?
If you create a rule with connections limit(advanced options) and an ip reach this limit, it will be included in pfsense tables and get blocked for two hours.
-
Trying to understand what you want to do. So you see IP address 1.2.3.4 come in on port 456, this hits your default block and is logged.
So now you want to have a rule auto created so that if 1.2.3.4 then tries say an open port 80 that it would be blocked, or if it hits say port 789 (not open) that it wouldn't get logged in the default block and just be blocked without logging it?
Other than not logging the goal is here, other than you don't want the IP to be able to find your open ports if it has hit you on a closed port before?
-
You'll create massive problems if you do as described. Any proper stateful firewall is going to block some out of state traffic on occasion, so that would leave you blocking lots of legit things people on your network are accessing. Going further and doing log analysis and blocking only, say TCP SYNs, would be a more reliable way of doing that, but not really all that useful. Not to mention the possibility of self-imposed DoS from someone sending you a slew of fake sourced traffic.
-
I agree with cmb … that is why you have things like snort ... and even pfblocker ... you block known scan attempts and with pfblocker, you can block known spamers ... (which I just recently found it can do).