Auto blacklisting IP addresses for which packets have been denied
-
I'm moving across to pfSense from a Watchguard XTM series firewall.
The Watchguard had a nice feature whereby, if a packet was not intercepted by any firewall rule (i.e. it was denied by a default rule), it could be blacklisted automatically for a certain amount of time.
This is useful, for example, where you have a number of open ports and a malicious hacker tries one that isn't open. The hacker's IP is then blocked, even if he then successfully guesses one of the open ports later on.
Is there an equivalent feature on pfSense please? I can't see it.
Andrew
-
Hi Andrew,
Nothing out of the box to achieve that functionality, but you can use an Intrusion Detection/Prevention System (Snort or Suricata), to Block the IPs of attempts to ports that you can define in an IDS Custom Rule.
You can find more Info in the IDS Forums :
https://forum.pfsense.org/index.php?board=61.0
-
Thanks for your reply. I downloaded and set up Snort earlier as an IDS, and couldn't immediately see how to do the above in Snort. Any pointers you can give me as to how to define an appropriate rule would be much appreciated.
Many thanks.
-
You can read about custom Snort Rules in these Links:
http://manual.snort.org/node29.html
http://archive.oreilly.com/pub/h/1393You would create these manual rules in the "custom.rules" category for the Interfaces being used. So for example WAN: WAN Settings: WAN Rules: and click "custom.rules" in the Category Dropbox selection.
You should create the SIDs in the 9000000 range and increment it so that no Rule SIDs overlap. You can also use "WAN Variables".I would always suggesting starting with a non-blocking implementation of Snort/Suricata, then once you get the Rules working the way you like, you can enable "Blocking Mode".
Other Settings to enable:
In the "Global Settings" - 'Remove Blocked Hosts Interval'
Interface(s) - ie WAN Settings: Alert Settings: 'Block Offenders, 'Kill States' and 'Which IP to Block'
Hope that gets you started… Post questions for IDS in the thread I posted above and I'm sure others will also help out...