Page 1 of 1

dynamic blacklisting ? ulog/shorewall ?

Posted: Thu Feb 07, 2008 8:39 pm
by smurphy
Hi Folks,

as I do this on my already existing router/modem/firewall (Based on a CV860A Lex mini-ITX), and I am planing in duplicating that functionality onto the RB153 that should arrive soon - here my specific question.

I have a DB-Server that concentrates all security informations from portscan, ssh-password probing etc. inside a Mysql Database. Now - portscans are written in there through the ulog extention of iptables, and other attacks - I wrote some scripts to detect these and put an entry into the Mysql-DB.

As soon as Changes are performed - a small daemon running on my firewall checks the new entries in the Mysql-DB (remotely over the network - openvpn tunnel) - and adds the attacker IP's to a dyamic blacklist.

Note that I use shorewall as firewall on that box - have setup an own mini-linux on it...

Now - to my questions:
a. Is there a possibility to remotely perform changes on the routerOS firewall - via scripting ?

- or -

b. do I have the possibility to actually write own scripts that will be executed on the RB153/RouterOS ?
also - does the iptabls Implementation on the routerOS has a Ulog extension inside ?

3. Is there the possibility to use Shorewall on RouterOS ? it's one of the most flexible firewall-generating scripts I have seen...

Thx for any response ...

Re: dynamic blacklisting ? ulog/shorewall ?

Posted: Fri Feb 08, 2008 9:39 am
by normis
you can write some kind of expect script on your DB machine that will telnet into your RouterOS machine and inject the data from the SQL to the RouterOS Firewall Address List (that can be used for black/white listing).

Yes, you can also write your own scripts, and for example make ROS fetch a text file that contains the addresses as firewall commands.

Re: dynamic blacklisting ? ulog/shorewall ?

Posted: Fri Feb 08, 2008 9:25 pm
by smurphy
Thx for the headsup ... I did also read all I could find and discovered that a similar way to dynamically blacklist IP's exist somewhere else. However add to it the fetch option sounds really great.

another question - as I do some decent statistical analysis - do you have ulog extention for the routerOS ?
ulogd ? as this would ease drastically all what I have in mind doing with that box.
Guess I'll have to compile it myself for that box if not ...

Thx for any hints.