How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning?

Reply
Highlighted
L4 Transporter

How to Configure Action for 'automatic blocking an IP for an hour' in a vulnerability scanning?

Hello,

This would be possible to implement?
Configure my firewall to make a action for 'automatic blocking an IP for an hour' in a vulnerability scanning.

Objects -> Custom Objects -> Vulnerability

Example: IP auto-block attacker for 1 hour, if 10 times in 10 seconds Any Scan Vulnerability Bash.

Imagen 1.jpg

I want "OR" condition.

Imagen 02.jpg

 

Imagen 15.jpg

Imagen 16.jpg

 

Here. addition to "IP address exemptions" should also have an option of "exemptions region".

Imagen 17.jpg

Last weekend we suffered a scan vulnerability Bash from different origins (countries). Do you think that might work?

 

If this worked well It could be a good method to persuade an attacker.

Regards

dicu


Accepted Solutions
Highlighted
L5 Sessionator

Hi Bradley,

 

you have "and" condition, you wanted "or", that is the left out of two buttons circled in red square, they should all end up under a single "And condition 1".... as in:

rules.png

 

Also, direction should not be both, it is client2server, right? Server will not attack someone :)

Besides all this, you will need to include this newly created vulnerability into your existing profile that applies to the security policy protecting this communication, I hope you didn't forget that part of the config :)

 

Regards

View solution in original post

Highlighted
L4 Transporter

Hi,

 

You will see an entry in the threat logs with the action "block-ip". To see the list of currently blocked IPs, use the following command in the CLI:

 

debug dataplane show dos block-table

 

If you want to remove an IP address from the block list before the timer goes down to 0 :

 

clear dos-protection zone <sourcezone> blocked source <ip-addr>

 

Benjamin

View solution in original post


All Replies
Highlighted
L4 Transporter

Hi COS,

 

Your screenshots are very small, I can't see any detail. What is in the OR condition? Is there a reason why you did not simply change the timer in the existing Bash remote code execution vulnerabilities? Did you really need a brute-force style vulnerability?

 

Benjamin

L2 Linker
Highlighted
L5 Sessionator

Hi Bradley,

 

you have "and" condition, you wanted "or", that is the left out of two buttons circled in red square, they should all end up under a single "And condition 1".... as in:

rules.png

 

Also, direction should not be both, it is client2server, right? Server will not attack someone :)

Besides all this, you will need to include this newly created vulnerability into your existing profile that applies to the security policy protecting this communication, I hope you didn't forget that part of the config :)

 

Regards

View solution in original post

Highlighted
L4 Transporter

Hello

I have two questions about this:
How can I verify that the firewall are blocking the attacking IP?

.. I imagine in the logs (threat). ;-)
How can I check the time (timer) that carries a specific IP blocked?

Regards,

dicu

Highlighted
L4 Transporter

Hi,

 

You will see an entry in the threat logs with the action "block-ip". To see the list of currently blocked IPs, use the following command in the CLI:

 

debug dataplane show dos block-table

 

If you want to remove an IP address from the block list before the timer goes down to 0 :

 

clear dos-protection zone <sourcezone> blocked source <ip-addr>

 

Benjamin

View solution in original post

Highlighted
L4 Transporter

Hello

Interesting commands.
Command quite helpful in unlocking an IP (false positive). I would also add the IP to the list of excluded. because otherwise it is likely that the IPS block again if detects a threat.

 

Thank you very much everybody.

dicu ;-)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!