Anyone out there deployed KFSensor to monitor for Attacks/Intrusions, log them, and then BLOCK the source ip completely?
Idea being to have KFSensor run an external application when a particular alert hits a predefined setting, that external application would maybe be a script that SSH into the Mikrotik and adds the ip address to the address list you use to block traffic completely? We use a hack_blacklist address list and commonly add hackers to this list, but I would like to automatic it with some kind of php or similiar script that can easily accept an ip address from KFSensor, connect to the Mikrotik over SSH, and add the ip address to the list automatically.
Seems like a great way to turn our great Mikrotik routers into fully configurable IDS systems that can immediately protect the network from further attacks.
rather than use ssh to just add an address, use port knocking. Use a short TTL on the icmp packet so that it doesnt get outside your network.
ping bad.ip.address.here -l 39 -i 2 (something like that…)
Your suggestion worked great!! I setup multiple External Alerts in KFSensor for each port I wanted the block launched for, having it run c:\windows\system32\ping.exe with arguments -n 1 -l 39 -i 2 $ipsrc
Then on Mikrotik I setup a forward rule, with a source ip of the Honeypot KFSensor system, for the LAN input interface, packet size 67 (39 translated to 67 for the actual size) with an add dst to address list action that has a 10 day timeout. Now these systems that are sniffing are instantly shutdown for 10 days when they hit any of the ip addresses on the Honeypot system.
add action=drop chain=forward comment=“Drop Hackers” disabled=no src-address-list=hack_blacklist
add action=add-dst-to-address-list address-list=hack_blacklist address-list-timeout=1w3d chain=forward comment=“HoneyPot Server Blacklister” disabled=no in-interface=ether2 packet-size=67 protocol=icmp src-address=ip.of.honeypot.system
Update:
After KFSensor added a recent update to their software to set severity for ‘external alerts’ the use of KFSensor has really worked out great.
The product installed on shared web servers but set to monitor all TCP traffic to the server including SSH, TELNET, FTP, HTTP, HTTPS and other ports. I then set the severity for the Main Scenario TCP items and Signature Items to HIGH that I want to trigger a block.
Keyfocus is setup to execute:
EXTERNAL ALERT APP PATH : c:\windows\system32\ping.exe
EXTERNAL ALERT ARGUMENT : -n 1 -l 39 -i 2 $ipsrc
TCP / HIGH SEVERITY
add action=drop chain=forward comment=“Drop Hackers” disabled=no src-address-list=hack_blacklist
add action=add-dst-to-address-list address-list=hack_blacklist address-list-timeout=1w3d chain=forward comment=“HoneyPot Server Blacklister” disabled=no in-interface=ether2 packet-size=67 protocol=icmp src-address=ip.of.kfsensor
Ether2 = LAN in this particular example.
When KFSensor gets a hit for a HIGH SEVERITY it fires a specific ICMP packet size 67 to the ‘attacker source ip’. That IP is picked up by the above firewall rule and added to the hack_blacklist address list for a 10 day period. All Hackers are dropped from sending any traffic to the servers at this datacenter.
src-address=ip.of.kfsensor can be left off if you have multiple systems running KFSensor to increase the exposure.
In my current tests it seems to block about 2100 malicious ip addresses PER DAY! Thats just with a single exposed server running KFSensor. Plan is to install KFSENSOR on additional systems to increase exposure.