automate blocking of active attacker ips
-
I've been searching for a good solution for our situation and haven't found one, so wanted to ask if I have just overlooked something. In short, I am looking for a way to automate rapid blocking (and eventual unblocking) of ip addresses from an external point, eg. some form of api or remote blocklist config.
I am aware of both url table aliases and pfBlockerNG's ability to download blocklists - those are not timely enough, they operate on days and hours respectively, and I need something to be effective within minutes (or preferably seconds).
The origin of the ip addresses is a botnet that is attacking our remote access servers. I setup some tcp connection rate limiting/blocking in suricata, which does help. But to keep those thresholds high enough to avoid matching legitimate users I think we're currently at 45 connections/60 seconds to trigger a block - and you can send quite a few login attempts over each https connection, so we're still seeing a lot of really obvious login attempts going on. I'd like to collect the ip addrs of these failures via syslog and automatically block them after maybe 5 failures or so. I can't just write a suricata rule for it because suricata only sees TLS traffic, it has no visibility into the failures vs. legit traffic.
As for ideas on how to implement this, I wonder about using the ip reputation list in suricata, or maybe an firewall table, and either scp that list over, or maybe use shell scripting to add/remove entries. My main concern/question is performance when doing that, eg. is forcing a firewall filter reload (however that happens, to be determined), or triggering suricata to reload the ip reputation list, several times per minute going to be disruptive?
One solution that I think would be about perfect is using the upcoming crowdsec package. I'm a little hesitant to use it in the current state though (because it breaks during pfsense update, and config isn't backed up with the pfsense config), but will definitely keep an eye on it.
I am additionally looking into more blocklists within pfBlockerNG which might catch some more of these attempts.
Any comments on the above or additional ideas would be appreciated.
Thanks,
Jesse -
Learn to use this built-in FreeBSD utility: https://man.freebsd.org/cgi/man.cgi?pfctl.
Use another custom method to parse logs and find the IP address you want to block, then use the
pfctlutility to insert that IP address into either the snort2cpftable, or create your own custom alias and make a rule target for blocking IP addresses added to that table. -
@jnorell Is there a way to do it on the remote access servers? They would know the IP and failed login attempt.
I just suggested fail2ban to someone, which looks at the logs on that server and adds blocks via software firewall. So, it works well for mail, web/WordPress, etc.
Even if there was a way to build a list pfSense reads URL aliases every 24h.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@bmeeks Thanks Bill, I'll get up to speed on pfctl and am finding a lot more relevant search results with those pointers.
-
@SteveITS thanks for the response. No, these boxes can't handle these failures yet (I read that the vendor may be working on it). They can block on repeated failed logins for actual accounts, but not for non-existing accounts. And it's not a server OS that we can install software on, so fail2ban (or better, crowdsec) is not an option. Thanks for the ideas, though!
