4. Is Snort the right tool for the job?

Is Snort the right tool for the job?

  • R

    Greetings all,

    Looking for some advice.  I am running pfSense 2.2.6 on a data center firewall protecting our hosted web servers.  Recently, we have been asked to allow SFTP connectivity to these servers for remote file management.  To that end, I have created some NAT connections on the WAN side pointing to some of the internal servers.  For example, I have a NAT rule redirecting external port 41250 to an internal host on port 32001 (SFTP server running on non-standard port).  So far, so good.

    I now need a way to protect the NAT connections from DDOS/abusers in the wild.  Essentially, I need a tool that will watch for incoming connections on a range of ports (ie: 41250-42250) and block remote IPs if we get excessive traffic (ie: 5 connection attempts in 10seconds).  These could be temporary or permanent depending on how many failures occur during a given time period.  I could do something similar with iptables and fail2ban, but I want these connections terminated as close to the firewall as possible.

    After doing some research, it appears Snort might be the tool for the job.  Thus, my questions:

    • Is Snort the right tool for the job?  If not, which tool would work best under pfSense?

    • Assuming Snort is the right tool, what kind of custom rule(s) need to be created to make this happen?  An example would be great.

    Thanks in advance…

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy