Is Snort the right tool for the job?
-
Greetings all,
Looking for some advice. I am running pfSense 2.2.6 on a data center firewall protecting our hosted web servers. Recently, we have been asked to allow SFTP connectivity to these servers for remote file management. To that end, I have created some NAT connections on the WAN side pointing to some of the internal servers. For example, I have a NAT rule redirecting external port 41250 to an internal host on port 32001 (SFTP server running on non-standard port). So far, so good.
I now need a way to protect the NAT connections from DDOS/abusers in the wild. Essentially, I need a tool that will watch for incoming connections on a range of ports (ie: 41250-42250) and block remote IPs if we get excessive traffic (ie: 5 connection attempts in 10seconds). These could be temporary or permanent depending on how many failures occur during a given time period. I could do something similar with iptables and fail2ban, but I want these connections terminated as close to the firewall as possible.
After doing some research, it appears Snort might be the tool for the job. Thus, my questions:
-
Is Snort the right tool for the job? If not, which tool would work best under pfSense?
-
Assuming Snort is the right tool, what kind of custom rule(s) need to be created to make this happen? An example would be great.
Thanks in advance…
-