Anything like the iptables "recent" feature?
-
I am a recent convert from a "home made" linux/iptables firewall to pfsense. One feature I am missing in pfsense is the iptables "recent" feature. Using the "recent" table in iptables, I can easily block portscans from reaching valid open ports.
Instead of just "dropping" packets to closed port, IP addresses are added to a list of "recent" IP addresses. Then a second rule will block everything coming from IPs from this list, even if the port would be open otherwise. This feature is also useful to implement port knocking.
Is there anything like that in pfsense? Something that would allow me to put source IPs automatically on a blacklist for lets say 30 minutes if they hit 3 closed port within one minute?
Thanks.
-
not built in. Could do that via log analysis, or use Snort with the block offenders option.
-
Check a 10 year old discussion about portscans and pf at http://monkey.org/openbsd/archive/misc/0211/msg02491.html
Since after 10yr they still haven't added an iptables' "recent"-like functionality in pf, they apparently still think you'd be better off writing something to monitor pflog0 to watch for blocked packets and blocking those hosts.
To mitigate bruteforce attacks you can use pf's max-src-* directives, check http://home.nuug.no/~peter/pf/en/bruteforce.html
-
Can you try to add a connection limit to your denied rules. Probably it will block 'offenders/portscanners' for about 2 hours.
