Linux script to Add Host Blocking to pfSense?

  • I have several system that are hit with prob scripts several times a day trying to break in. I can detect the probing on the linux box and block it on the box's firewall. What I want to do is to add the ip address to a pfSense Aliases that is used to block the offending IP's for the entire network.

    How would I go about writing a script that would add a host to an existing aliases. Cause pfSense to reload so it sees the new aliases host list, and then reload the state tables to ensure that any current probing connections would be blocked. I have ssh access to the pfSense routers from the Linux boxes.

    Any ideas or examples would be apperciated.

  • What your looking for is a package called IP-Blocklist.

  • I am using IP-Ban on linux what I need to do is have some way to trigger from my ip-ban scripts adding the banded host ip to my pfSense blocked alaises list then reload the system so it uses the new list and then reset the state tables so that the new list of blocked host ip's is read from the alaises list.

    Is IP-Blocklist a module for pfSense?

  • If your looking for an automated trigger program then denyhosts will do that for you. It monitors SSH and other auth services. After 3 failed login attempts the IP is banned.
    IP-Blocklist is a manual method. You enter IP lists that are banned. There are lists of IPs that are known bad. It's more of a preventive approach.

  • I have tried to use ip blocklist (thanks tommyboy), but the blocklists I need are hosted and not in the dansguardian2 format.

    I would imagine I can call them from a cron job thusly…

    fetch |
    awk '{print "/sbin/pfctl -t voipblocklist -Tadd "$1}'

    Does anyone have any suggestions for creating the table and making it persist in /tmp/rules.debug with pfSense? I'd rather not do this manually, but it seems all the blocking solutions available won't accept a simple list.

  • Rebel Alliance Developer Netgate

    Use the URL Table package. It does exactly that: fetches an IP or IP/CIDR list of IPs from a text file by URL, and puts them into a table.

  • zktech, you might look at the snort package in pfSense, too - even the portscan preprocessor (ie. without downloading any snort rulesets) catches a lot of ssh port scans, and can automatically block (and later remove) the scanning ip addrs.

Log in to reply