Block ip's on pfsense from other servers.

  • Hi,

    what is the best way to allow servers which are behind the pfense firewall to block an ip.
    Now the server is connected to the internet and uses csf to block.

    But the 1 server becomes 3 servers each with there own role.
    So I want to place a pfsense before the 3 servers and allow the other servers to block ip adresses which violate certain rules (50x wrong login info).
    But how can I let my server talk to pfsense to block the ip?

  • Use your firewall solution to write the IPs into a file/delete expired entries from it (fail2ban can do this). Put the file into a web accessible folder (be carefull with the owner/permissions), and pull it into the firewall via URL alias or pfblocker list set up as an alias, or custom script, then set up a block (wan side)/reject (lan side) rule using that alias.

    Any other solution will cause security nightmares down the road. You could ssh into the servers and get the list that way, but why add another step to a known and verified setup?

  • Moderator

    You could do this with OSSEC HIDS.

    It can be installed on a Linux Server and it can control all of your Windows/Linux based machines.

    Another solution is Security Onion that has OSSEC already built in.

    1. use an existing monitoring solution (csf,fail2ban) and add the needed functionality
    2. learn about a new solution and implement it

    Since I'm a strong advocate of the KISS principle, I think I'll take option 1.

  • I already use csf but I wanna use csf to give pfsense a command to block certain ip's.
    Why? Because pfsense will be before my mailserver, webserver and database server. An ip which tries somethings funny on either server should be banned on all of them.

  • There is a way to give that command, but that means giving access to your firewall on your servers, which is NOT recommended nor is it simple to do.

    The best way is to set up csf so that it outputs the banned IPs in a file that is web accessible, then pull in that list from pfsense.

  • and how will I pull that list?

  • Firewall>aliases>new alias>type URL table>enter the full filename ([server_ip_or_domain]:/iplist.txt).

    Then set up the firewall rules accordingly (block on wan side, reject on lan side).

  • Moderator


    Firewall>aliases>new alias>type URL table>enter the full filename ([server_ip_or_domain]:/iplist.txt).

    Then set up the firewall rules accordingly (block on wan side, reject on lan side).

    We have to hack away at that Freq setting in the Alias script to make it allow updates more often that 1 day.

    If CSF can keep an IP blocked for a day, then pfSense will be updated only once per day (Setting the Alias Freq to 1)

    Other options are to use a small script in pfSense that automatically pulls the file from the other servers once an hour and pfctl's the IPs into the Alias Table.

  • Ossec seams really good but can't get my head around it to implement it.
    Is pfsense compatibel?

    Also the alias option isn't really an option because the attacker could have a full day of brute forcing before getting banned.

  • My personal recommendation is fail2ban. It's extremely loyal to the KISS principle. You just need to edit the action file and add an echo line to the ban action, and a sed line to the unban action. Done. You now have a file storing IPs from your server, in a publicly accessible space. Pull that using BBcan177's script or an alias and your are done.

    A full day of brute forcing? In that case your server's attack responses are NOT working, I repeat, are NOT working.

    An attacker starts brute forcing server A, which is behind pfsense A. The server notices this after 3 attempts (3 is all you need to detect ev en the most sophisticated attacks, not just brute forcing.) because it happens once, twice is a coincidence, third time is a pattern. The server bans the attacker, using the server's firewall. pfsense A still allows traffic through.

    The attacker decides to attack server B. Same thing happens, the attacker is cut off by the server's firewall. The attacker, feeling extremely frustrated since he cannot be the world's top hacker and get stopped by a lowly log watching program, decides to head for bed and continue with his brute forcing of server C, tomorrow.

    pfsense A though, about 4 hours after the initial attack, checks server's A banned hosts and finds a new host was added. It pulls this update in, and incorporates it into its filters. From now on, the attacker is blocked at the core router level, his traffic is NOT reaching anything beyond pfsense A.

    The attacker wakes up, takes a long sip from his favourite coffee, throws a hacking line from the movie hackers, golden eye, etc. and sits on his laptop (a 15" laptop) thinking he is about to brute force your server C. He is extremely frustrated to find that for the next 28 days (he doesn't know that from the start!) he will be completely unable to communicate with ANY of your network's hosts.

    He commits suicide blaming the f****ed up society shortly after that.

  • Hello,

    i restart this because we also want to ban some kiddy hackers using all our Linux servers running the CSF firewall.
    We setup a CSF cluster and have a master CSF firewall server, receiving all the blocked IPs. This works like a charm, but we run also alot of customer's servers, also under CSF, but we don't want (and they also) to share our blocked IPs.
    I setup a every minute cron to create a ban IP list, placed on a www plublic place that our PFSense firewalls can read, but the frequency is really not high enough …
    I did a try to install the cron package and modified the "/usr/bin/nice -n20 /etc/rc.update_urltables" command telling it have to run every 5 minutes. But his is NOT working to update our ban list ...

    Before we used PFSense, we had Watchguard firewalls, and there was a nice script available to install on a Linux server and that was able to send banned IP's to our Watchguard firewalls. Worked great, and we had really less brute force attacks ...

    Now that we have PFSense, i played with the SSH Advanced options rules to limit the new connections rates, but this is also not enough, as a attacker can play and try up to 10 times a minutes, and so on during hours, until the local CSF firewalls detect it and block that, for 1 server, then send the info to the cluster, if that server is in the cluster ...  :-\

    Is there really not a way to send a banned IP list about "real time" ?
    I can live with a SSH connection from our Cluster CSF server to our PFSense firewalls, if this the only solution...
    Nobody as us have access to this server, so it can't hurt that much if there are SSH credentials on one of our servers ...

    Thanks for any good idea  8)

  • I know pfBlockerNG can be pointed at any source that uses HTTP/HTTPS and is using some common flatfile format. I have never used it, but I assume you can configure how often you want to pull that list.