OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: Helle on September 25, 2020, 01:19:17 pm
-
First post :-)
Is there a way to make abusers detected by suricata to be added to a dynamic firewall-rule for lets say 6hours or a specified time ?
If I get hammering from the outside against a webserver, I would like my opnsense to block the abuser totally and not only some of the php/apache/chmod/suspicios url stuff that suricata detects.
I would feel a lot safer if the detected abuser would be completely blocked for a certain time.
I have not used the other well known pf-based firewall but I believe this is easily done with that platform.
There was someone making a workaround using a webserver to host the list and have the rule pick up hosts but that seems sub optimal IMHO
Any suggestions ?
/Helle
-
I did not found an option to use such a feature (yet).
Something like "lockout" time as it is used for accounts as far i understand you.
maybe a custom script or plugin could deliver something.
There is an API available. With some script magic i guess it will work.
- Read suricata logs
Sort out hosts
Log them somewhere
Create list
import list as block rule / with or without schedule
-
I would like this to be a feature request..
Possibility to add IDS/IPS offenders to a temporary/permanent firewall block list..
(without the need of custom scripts or external web server for hosting said block list)