Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Modify aliases from ssh shell

    Scheduled Pinned Locked Moved Firewalling
    24 Posts 5 Posters 21.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RusFM
      last edited by

      I've been wanting my AlienVault (SEIM) to tell pfSense to block an IP when it detects a port/web/mail attack.
      But that script doesn't work because there's a bug in rc.update_urltables.  See https://redmine.pfsense.org/issues/3469

      The fix is to touch the time on the cached alias list file and set the time to older than at least 24 hours plus some time for the delay.

      Here's the expect script I run on AlienVault to update the URL alias BLockList on pfSense-

      
#!/usr/bin/expect -f

# given an ip on the command line-
# - add it to /usr/local/www/lists/blocklist
# - reload the BlockList table in the packet filter from that file
#
# for this to work-
# - create the file manually first
# - create a url alias BlockList type = URL Table (IPs)
# - create floating rules to block, log, etc. based on this alias
#
# show the contents of the table in the packet filter-
# pfctl -t BlockList -T show
#
# show the rules in the packet filter-
# pfctl -vvsr | grep BlockList
#
# show everything-
# pfctl -sa

set timeout 2

# send 10 chars w/ a millisecond break if used with send -s
set send_slow {10 .001}

# get ip from command line
set IP [lindex $argv 0]

# log it
exec echo `date +"%D %T"` Blocking $IP >> /var/log/pfSense_block.log

# define the command line prompt which is colored
set PROMPT {:[^\s]*?\s}

# log in via ssh and get past pfsense's menu to the command line
spawn ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@pfsense.YourDomain.local
expect "Password for root@pfsense.YourDomain.local:"
send -s "YourPassword\r"
expect "Enter an option: "
send -s "8\r"

# append ip from command line to file
expect -re $PROMPT
send -s "echo $IP >> /usr/local/www/lists/blocklist\r"

# load list into packet filter immediately
expect -re $PROMPT
send -s "pfctl -t BlockList -T replace -f /usr/local/www/lists/blocklist\r"

# force pfsense to reload the alias tables
expect -re $PROMPT
# set the access time 2 days earlier, see https://redmine.pfsense.org/issues/3469
send -s "touch -A -480000 /var/db/aliastables/BlockList.txt\r"
expect -re $PROMPT
send -s "/etc/rc.update_urltables\r"

# exit back to menu and logout
expect -re $PROMPT
send -s "exit\r"
expect "Enter an option: "
send -s "0\r"
expect eof

      EDIT:  Unfortunately this doesn't work.  For some reason pfctl removes the IPs from the list?  Still working on it.

      1 Reply Last reply Reply Quote 0
      • luckman212L
        luckman212 LAYER 8
        last edited by

        I came sniffing around looking for a way to block IPs via shell/console/ssh/pfSsh.php … I don't have an AlienVault SIEM set up (fancy) and was looking for a simple way to do this via a bash/cron script.  I have an asterisk box running on my LAN behind pfSense and get daily "attacks" trying to exploit SIP.  These are easy to spot in my asterisk logs and I have a script that uses grep/awk/uniq to pull "bad" IPs out of the logs and dump them into a file.  I am looking for a way to dynamically add these to an alias that I use for my Blocklist.  @RusFM Did you ever figure out a clean solution?

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          @luckman212:

          I came sniffing around looking for a way to block IPs via shell/console/ssh/pfSsh.php … I don't have an AlienVault SIEM set up (fancy) and was looking for a simple way to do this via a bash/cron script.  I have an asterisk box running on my LAN behind pfSense and get daily "attacks" trying to exploit SIP.  These are easy to spot in my asterisk logs and I have a script that uses grep/awk/uniq to pull "bad" IPs out of the logs and dump them into a file.  I am looking for a way to dynamically add these to an alias that I use for my Blocklist.  @RusFM Did you ever figure out a clean solution?

          As long as that local file of badips is available to pfSense as a path, then you can use the  package pfBlockerNG, to collect that file automatically on an hourly basis…

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • luckman212L
            luckman212 LAYER 8
            last edited by

            So the script to collect the badip's runs on the asterisk box.  I suppose I could create an account for it on my pfSense, use a public key to allow the script to scp the file to somewhere local on the pfSense box and then have pfBlocker do its thing.  I don't have pfBlocker installed currently and am in the process of migrating to 2.3-beta so I suppose I will put this on my to do list for near future

            thanks

            1 Reply Last reply Reply Quote 0
            • mucipM mucip referenced this topic on
            • bmeeksB bmeeks referenced this topic on
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.