Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Block ip's on pfsense from other servers.

    Firewalling
    5
    13
    3515
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RpR last edited by

      Hi,

      what is the best way to allow servers which are behind the pfense firewall to block an ip.
      Now the server is connected to the internet and uses csf to block.

      But the 1 server becomes 3 servers each with there own role.
      So I want to place a pfsense before the 3 servers and allow the other servers to block ip adresses which violate certain rules (50x wrong login info).
      But how can I let my server talk to pfsense to block the ip?

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User last edited by

        Use your firewall solution to write the IPs into a file/delete expired entries from it (fail2ban can do this). Put the file into a web accessible folder (be carefull with the owner/permissions), and pull it into the firewall via URL alias or pfblocker list set up as an alias, or custom script, then set up a block (wan side)/reject (lan side) rule using that alias.

        Any other solution will cause security nightmares down the road. You could ssh into the servers and get the list that way, but why add another step to a known and verified setup?

        1 Reply Last reply Reply Quote 0
        • BBcan177
          BBcan177 Moderator last edited by

          You could do this with OSSEC HIDS.

          http://www.ossec.net/?page_id=169

          It can be installed on a Linux Server and it can control all of your Windows/Linux based machines.

          Another solution is Security Onion that has OSSEC already built in.

          http://blog.securityonion.net/p/securityonion.html

          1 Reply Last reply Reply Quote 0
          • ?
            A Former User last edited by

            1. use an existing monitoring solution (csf,fail2ban) and add the needed functionality
            2. learn about a new solution and implement it

            Since I'm a strong advocate of the KISS principle, I think I'll take option 1.

            1 Reply Last reply Reply Quote 0
            • R
              RpR last edited by

              I already use csf but I wanna use csf to give pfsense a command to block certain ip's.
              Why? Because pfsense will be before my mailserver, webserver and database server. An ip which tries somethings funny on either server should be banned on all of them.

              1 Reply Last reply Reply Quote 0
              • ?
                A Former User last edited by

                There is a way to give that command, but that means giving access to your firewall on your servers, which is NOT recommended nor is it simple to do.

                The best way is to set up csf so that it outputs the banned IPs in a file that is web accessible, then pull in that list from pfsense.

                1 Reply Last reply Reply Quote 0
                • R
                  RpR last edited by

                  and how will I pull that list?

                  1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User last edited by

                    Firewall>aliases>new alias>type URL table>enter the full filename ([server_ip_or_domain]:/iplist.txt).

                    Then set up the firewall rules accordingly (block on wan side, reject on lan side).

                    1 Reply Last reply Reply Quote 0
                    • BBcan177
                      BBcan177 Moderator last edited by

                      @jflsakfja:

                      Firewall>aliases>new alias>type URL table>enter the full filename ([server_ip_or_domain]:/iplist.txt).

                      Then set up the firewall rules accordingly (block on wan side, reject on lan side).

                      We have to hack away at that Freq setting in the Alias script to make it allow updates more often that 1 day.

                      If CSF can keep an IP blocked for a day, then pfSense will be updated only once per day (Setting the Alias Freq to 1)

                      Other options are to use a small script in pfSense that automatically pulls the file from the other servers once an hour and pfctl's the IPs into the Alias Table.

                      1 Reply Last reply Reply Quote 0
                      • R
                        RpR last edited by

                        Ossec seams really good but can't get my head around it to implement it.
                        Is pfsense compatibel?

                        Also the alias option isn't really an option because the attacker could have a full day of brute forcing before getting banned.

                        1 Reply Last reply Reply Quote 0
                        • ?
                          A Former User last edited by

                          My personal recommendation is fail2ban. It's extremely loyal to the KISS principle. You just need to edit the action file and add an echo line to the ban action, and a sed line to the unban action. Done. You now have a file storing IPs from your server, in a publicly accessible space. Pull that using BBcan177's script or an alias and your are done.

                          A full day of brute forcing? In that case your server's attack responses are NOT working, I repeat, are NOT working.

                          An attacker starts brute forcing server A, which is behind pfsense A. The server notices this after 3 attempts (3 is all you need to detect ev en the most sophisticated attacks, not just brute forcing.) because it happens once, twice is a coincidence, third time is a pattern. The server bans the attacker, using the server's firewall. pfsense A still allows traffic through.

                          The attacker decides to attack server B. Same thing happens, the attacker is cut off by the server's firewall. The attacker, feeling extremely frustrated since he cannot be the world's top hacker and get stopped by a lowly log watching program, decides to head for bed and continue with his brute forcing of server C, tomorrow.

                          pfsense A though, about 4 hours after the initial attack, checks server's A banned hosts and finds a new host was added. It pulls this update in, and incorporates it into its filters. From now on, the attacker is blocked at the core router level, his traffic is NOT reaching anything beyond pfsense A.

                          The attacker wakes up, takes a long sip from his favourite coffee, throws a hacking line from the movie hackers, golden eye, etc. and sits on his laptop (a 15" laptop) thinking he is about to brute force your server C. He is extremely frustrated to find that for the next 28 days (he doesn't know that from the start!) he will be completely unable to communicate with ANY of your network's hosts.

                          He commits suicide blaming the f****ed up society shortly after that.

                          1 Reply Last reply Reply Quote 0
                          • A
                            atrocity last edited by

                            Hello,

                            i restart this because we also want to ban some kiddy hackers using all our Linux servers running the CSF firewall.
                            We setup a CSF cluster and have a master CSF firewall server, receiving all the blocked IPs. This works like a charm, but we run also alot of customer's servers, also under CSF, but we don't want (and they also) to share our blocked IPs.
                            I setup a every minute cron to create a ban IP list, placed on a www plublic place that our PFSense firewalls can read, but the frequency is really not high enough …
                            I did a try to install the cron package and modified the "/usr/bin/nice -n20 /etc/rc.update_urltables" command telling it have to run every 5 minutes. But his is NOT working to update our ban list ...

                            Before we used PFSense, we had Watchguard firewalls, and there was a nice script available to install on a Linux server and that was able to send banned IP's to our Watchguard firewalls. Worked great, and we had really less brute force attacks ...

                            Now that we have PFSense, i played with the SSH Advanced options rules to limit the new connections rates, but this is also not enough, as a attacker can play and try up to 10 times a minutes, and so on during hours, until the local CSF firewalls detect it and block that, for 1 server, then send the info to the cluster, if that server is in the cluster ...  :-\

                            Is there really not a way to send a banned IP list about "real time" ?
                            I can live with a SSH connection from our Cluster CSF server to our PFSense firewalls, if this the only solution...
                            Nobody as us have access to this server, so it can't hurt that much if there are SSH credentials on one of our servers ...

                            Thanks for any good idea  8)

                            1 Reply Last reply Reply Quote 0
                            • H
                              Harvy66 last edited by

                              I know pfBlockerNG can be pointed at any source that uses HTTP/HTTPS and is using some common flatfile format. I have never used it, but I assume you can configure how often you want to pull that list.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post

                              Products

                              • Platform Overview
                              • TNSR
                              • pfSense
                              • Appliances

                              Services

                              • Training
                              • Professional Services

                              Support

                              • Subscription Plans
                              • Contact Support
                              • Product Lifecycle
                              • Documentation

                              News

                              • Media Coverage
                              • Press
                              • Events

                              Resources

                              • Blog
                              • FAQ
                              • Find a Partner
                              • Resource Library
                              • Security Information

                              Company

                              • About Us
                              • Careers
                              • Partners
                              • Contact Us
                              • Legal
                              Our Mission

                              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                              Subscribe to our Newsletter

                              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                              © 2021 Rubicon Communications, LLC | Privacy Policy