Dynamic transient blocking
-
I'm converting a firewall from iptables to pfsense, which I have not used before. In iptables, I would detect attempts to access inaccessible ports (e.g., port 80 on a machine that did not host a web server) and blacklist that IP address for some modest amount of time (e.g., 15 minutes). The idea was to keep dumb scanners from finding real servers, but not to have to manually blacklist or unblacklist anything.
I have not found any way to do this and other "dynamic" actions in pfsense. So far, I only see the three basic actions for pfsense rules: pass, block, or reject. Is there some "hook" somewhere in the functionality that allows for more dynamic extensibility?
-
You can use Suricata or Snort and set the ban to 15 mins… and use a custom rule like this:
alert tcp any any -> $HOME_NET 80 (msg:"We Are Not a Web Server!"; classtype:policy-violation; sid:902102121; rev:1;)
or
alert tcp any any -> 10.20.10.1 80 (msg:"We Are Not a Web Server!"; classtype:policy-violation; sid:902102122; rev:1;)
or
alert tcp any any -> $HOME_NET [:1024] (msg:"Sub Epehmeral Knocking"; classtype:policy-violation; sid:902102123; rev:1;)
You cen even add failed/successful login in content inspection, etc…
F.