Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is Snort the right tool for the job?

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 707 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rkelleyrtp
      last edited by

      Greetings all,

      Looking for some advice.  I am running pfSense 2.2.6 on a data center firewall protecting our hosted web servers.  Recently, we have been asked to allow SFTP connectivity to these servers for remote file management.  To that end, I have created some NAT connections on the WAN side pointing to some of the internal servers.  For example, I have a NAT rule redirecting external port 41250 to an internal host on port 32001 (SFTP server running on non-standard port).  So far, so good.

      I now need a way to protect the NAT connections from DDOS/abusers in the wild.  Essentially, I need a tool that will watch for incoming connections on a range of ports (ie: 41250-42250) and block remote IPs if we get excessive traffic (ie: 5 connection attempts in 10seconds).  These could be temporary or permanent depending on how many failures occur during a given time period.  I could do something similar with iptables and fail2ban, but I want these connections terminated as close to the firewall as possible.

      After doing some research, it appears Snort might be the tool for the job.  Thus, my questions:

      • Is Snort the right tool for the job?  If not, which tool would work best under pfSense?

      • Assuming Snort is the right tool, what kind of custom rule(s) need to be created to make this happen?  An example would be great.

      Thanks in advance…

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.