Re: [pfSense Support] importing from multiple iptables ... BOUNTY $100

Mon, 22 Sep 2008 18:32:32 -0700 

Notes below:


On Sep 22, 2008, at 9:21 PM, RB wrote:
I am thinking it might be nice to see if someone could do the following. 
And therefore Want to post a $100 bounty on this.


Typically the bounties are posted on the forums; you could feel things
out here, but eventually you'll need to move there.


>>> gotcha - did not now - but that helps :-)





Most of the Linux world uses BFD and/or CSF/LFD to find brute
force issues...


Not sure what your acronyms are, but sane settings on your sshd can go
a long way toward preventing skript-kiddie attacks.  That said, a good
iptables-integrated approach is to use the RECENT module - contact me
offline for details, since it's absolutely not pfSense-related.


>>>> makes sense - we have these in place... dont use port 22 / etc.
The issue is not w/ ssh itself - but rather
When someone tries to bruteforce a site - after x amount of attempts they get blocked via iptables. If we could get that to write up to PFSense somehow - that would be great. Often we see the same hacker trying multiple sites across multiple servers 

:-)






What I would like to do is this.
1. Have the PFSense server query the Log files from the servers running 
behind the system.


Sound network security principles are screaming and waving their hands
at this point.  Never EVER run active code on your firewall that is
reaching out (with operable credentials, no less) to an internal
system.  Even doing so for authentication is questionable.  Full stop.

To generalize what you should be requesting is that someone port
fail2ban-server or its ilk to run on FreeBSD/pfSense and accept rule
changes from a trusted host.  At a very minimum, a tool that will
monitor logs and issue dynamic block requests to pfSense via either a
screen scraper or the XML sync mechanism.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Right - thus the reason for suggestion it be a central log that it pulls from internal systems ---> log log system has no credentials from internal systems 
pfsense pulls from log system  - perhaps via an xml feed /

thanks for forcing my clarification - :-)

Glenn


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to