I want a firewall rule that fires when ever a packet containing “Access denied” is sent/seen 10 times or more in a 60 second interval. How do I do that?
Matt
In general Access lists (ACLs) operate at layer 3 and only know about things like source and destination IP address. They’re not aware of application layer things like access denied messages. You’d need to use some sort of application aware mechanism to detect the specific form of access denied your looking for (I’ll assume you’re talking about HTTP and not some other protocol) and then create an ACL based upon some criteria like you gave for example.
In short in ROS I’d imagine if this is even possible you’d need to do some scripting.
What about this:
add chain=forward src-address=12.0.0.2 protocol=tcp src-port=22-23 content=“Access denied” dst-limit=10/1m,1,dst-address/1m40s
action=add-dst-to-address-list address-list=failed address-list-timeout=4d comment=“” disabled=no
Will that do it?
Matt
Never tried anything like that before. I’d say you’re on the right track. Obviously you need to have an filter rule that discards everything on the failed list.
What type of application traffic are you trying to discard? Obviously SSH traffic on port 23 is encrypted.
Obviously SSH traffic on port 23 is encrypted.
Stupid me. That just bit me in the butt. I am trying to catch IP’s trying to brute force my router. When I catch the IP’s trying it I want to ban them from my ENTIRE network to protect my own stuff and my custommers.
Another way may be to ban IP’s that send more then 3 TCP SYNC packets to port 22-23 on my router in 60 second span. Still not easy.
Everyone keeps saying just change the SSH port. I don’t want to do that. I want to put the IP’s that do this in a list and block them from my entire /23 or more of users. End users do not always choose good passwords or keep things secure so I want to do what I can at the gateway.
Matt