Suggestion on snort please. (SOLVED)

  • Hello friends.
    I am getting lot of random incoming connection trying to get into my home network and pfsense is dropping all of them can snort be configured as fail2ban like "IF 2 failed connection attempt from IP: XX.XX.XX.XX block it for xx HR/DAY ?
    Is there other package available to do this task as I can see there is no fail2ban package.

  • Snort actually passes off blocking to the firewall, so if pfSense is already blocking the offenders as you say, what's the point of something like fail2ban? How would two blocks help in this case?

    Tools such as fail2ban are for hosts that are generally forced to take incoming connections in order to do their job. Think a mail server. It pretty much has to take any incoming SMTP request in order to route mail. Now, if you have a malicious client repeatedly making SMTP connections to your mail server, then something like fail2ban is useful as it will stop that malicious host but not others.

    Your case is quite different according to your explanation. You have a host attempting to make a connection to you and pfSense is blocking the attempt. That's all you need. Fail2ban would just be redundant and not afford you anything additional.

  • Hi bmeeks
    Thank you for the response. Indeed pfSense is doing it's job great.
    I'm clear about the scenario now.