Auto block incoming traffic on WAN on certain ports

  • Hello,

    Is it possible to have snort auto block any public IP on my WAN interface that tries to connect on certain ports (21, 22, 25, etc)?  Sort of like a honeypot.  I want them auto blocked for a certain time period if they try a standard port.

  • LAYER 8 Global Moderator

    Are these ports OPEN – ie you forward these ports to something behind pfsense?

    If you want to block ANY public IP.. would is the point of having the port open in the first place..  If the port is not forwarded then its out of the box blocked anyway, etc.

  • I have some RDP port forwarding (not on 3389) going on and I'd like to block anyone that network scans my WAN.  If they try connecting on various ports (22, 25, 443, 80, etc), I'd like them blocked immediately.

  • You can do that with Suricata in Legacy mode (I'm sure Snort uses the same methodology since the filtertable is named after Snort, but I've never tried it with Snort). Although it would not be a simple thing to setup. Not that it's hard to setup but definitely not 'click here and you're all set'.

    Search the forums for suricata blueprint and you should find a long thread with some information.

  • Sounds like a good way to denial of service yourself. I'm blocking about 20 packets per second from all kinds of different IP addresses. That's potentially 1.7mil IPs per day. Not sure how unique they are, but looking at a small slice of time, they're very unique.

  • LAYER 8 Global Moderator

    Having RDP open to the public on any port - why??  Just VPN if for gosh sake..

    So your goal is to block someone from finding your open ports by blocking them before they get to the open ones on a port scan??

    How about just not having that port open to the public if so unsecure ;)  VPN into your network, when you need to use unsecure stuff like rdp..

Log in to reply