Core: Automatic rule generation/Ability to automatically add IP's to Aliases
Hi there,
Problem scope:
While IDS works quite well and blocks 90% of malicious IP's/traffic that hits the firewall some malicious actors still hammer me for having ports open that I cannot close for various reasons. For example, I am not able to close port 22 or 3389 to one or two segregated servers on my network. While this is undesirable and not recommended, there are still many cases where it is not possible to easily close these ports off for various reasons. While I have taken steps to limit their exposure to the LAN and if compromised would not cause major issues, this could be improved.
Describe alternatives you've considered
Currently using alternatives such as fail2ban which adds IP's that try to connect to the local servers iptables as a block.
Describe the solution you'd like
I would like to move this solution to the firewall. One thing I have noticed is that malicious IP's will attempts to connect on many different ports. This is why changing the port from say 3389 to some other port such as 51216 or any other number does not help mitigate the issue. However one thing that would help, is if I could create a nat rule that if triggered could add the IP that connected to an alias. This would allow me to setup a block rule above it using this alias that would automatically fill with IP's that tripped the incorrect NAT rule. Since a malicious bot would be unable to know what port is the correct port to connect on, and would scan all of them, this feature would allow IP's to be added automatically to a block rule that would over time grow and hard block a list of IP's from all services to the firewall. So to be clear one might have a nat rule that you dont want this blocking feature on port 4000, while an identical rule on port 3389 does add the IP's to the alias creating a scenario where a bot which did not know what port to connect on would trip the rule and get itself added to a blocklist.
While this is just one use case for such a feature, there might be other reasons to be able to automatically add IP's to an alias, say from the logs or from the tagging feature or some other method that might be useful to people that I have not thought of.
While the scenario described is not a perfect solution, and again i wish to stress I understand not recommended to have ports open to a server, such as ssh, it is simply a recognition that products like fail2ban exist for a reason because other people are faced with a similar problem, and a feature (perhaps not in this exact form) such as the above would work similarly to reduce the attacks by a large % making reviewing illegitimate traffic in the logs much easier and in addition clearing a lot of automated traffic sent to scan and try compromise the firewall/network. At the moment, reviewing large logs and not being able to distinguish between an automated bot, and possibly a real malicious actor is quite hard since logs get filled so quickly. Reducing this down would help, at least in my case, a large degree and allow me to home in on specific areas.
I also understand if people dont like the idea, and thats ok too, and can continue to use other products that assist in these edge case scenarios if it goes against some sort of ideological belief.
Kind regards
Pete
pallebone
All 21 comments
@pallebone Would it be simpler to add fail2ban as a plugin?
maxfield-allison
on 28 Jun 2020
@pallebone Would it be simpler to add fail2ban as a plugin?
How would this function/work? On a server where fail2ban is installed it monitors the ssh service logs and looks for authentication issues. Would this plugin require the firewall to have an ssh server running and open on it for the fail2ban plugin to function? If that is the case then I would not recommend such an option.
pallebone
on 29 Jun 2020
After doing a bit more research it looks like others have had some success with implementing fail2ban using ipfw. Another option I've looked into is a bit simpler but I'd need to look into how to translate the iptables mentioned to ipfw.
Re: ssh server, you wouldn't need the server to be running on OPNsense since you can configure the actions and jails in fail2ban. I'd imagine, without looking into it now, that you could have fail2ban run through the ipfw logs and configure your actions based on those.
maxfield-allison
on 29 Jun 2020
@maxfield-allison fail2ban is intended to guard services running on the same machine if I'm not mistaken, to protect web and ssh access from the firewall itself we have a syslog-ng hook in 20.7 which will ban unauthorised users (similar to fail2ban).
AdSchellevis
on 29 Jun 2020
If a plugin were created for fail2ban, there is functionality to centralize the database that all instances will use.
maxfield-allison
on 29 Jun 2020
our aliases can easily be used to fetch content from a remote location, that's probably easier to use.
AdSchellevis
on 29 Jun 2020
In that case, The external Alias could be interacted with via the API and a script on the host running fail2ban could push those blocked IP's to the Alias entry.
maxfield-allison
on 29 Jun 2020
Sorry for falling behind, but this sounds good. If the firewall can capture ip's from a fail2ban database and add them to an alias this sounds very good. I believe this is what you are suggesting. If so, this solution sounds excellent.
pallebone
on 29 Jun 2020
I'm only pointing to existing functionality (aliases from http[s] sources), the fail2ban part you have to handle yourself.
AdSchellevis
on 29 Jun 2020
I see, Im not really able to do this on my own unfortunately as I lack the technical knowledge to complete such a task on my own :(
pallebone
on 29 Jun 2020
@pallebone, This would be a good starting point. I'll install Fail2ban on my docker host in the coming days and see about setting something up and writing a script. Once I have it completed I'll push it to a repo on my profile and link it here for you.
maxfield-allison
on 30 Jun 2020
Thank you @maxfield-allison that would be really kind of you and I would appreciate it a lot. I will try to help in any way possible even if its just testing what you have etc. Getting something going where malicious IP's can be identified and blocked on the firewall to all services would be a really helpful step for quite a few users I believe, as at the moment, I can identify malicious IP's connecting to an SSH server, and that ssh server can block them, but there is no method currently to then take that list and block them to all other services the firewall is allowing via port forward (the same IP's might be trying to compromise a webserver behind the firewall for example). An improvement here that can be semi automatic would be something nice for OpnSense to have over other alternative firewalls and a small additional layer of protection.
pallebone
on 30 Jun 2020
I agree. My server currently only has 80 and 443 for reverse proxy and IDS does a very good job of blocking traffic on those ports so I may not have the best log and database to operate from initially. Luckily it doesn't take much to create a sample database and work from there. I'll let you know when I have something up; I plan to start working on this today if time permits.
maxfield-allison
on 30 Jun 2020
Thanks, I dont want you to feel rushed though. Im not impatient and am happy to work with you only as you have time. I understand you are helping me out as a favour so I appreciate that and will happily wait so you dont get stressed out :)
pallebone
on 30 Jun 2020
It's really no problem, I've been hunting for something that I can dip my feet in the water with after my first real commit to a major repo lol. This seems like it will be a good first project for me.
maxfield-allison
on 30 Jun 2020
Work has picked up so I have not had much time to look into this. My apologies!
maxfield-allison
on 15 Jul 2020
No worries, whenever you have time.
pallebone
on 16 Jul 2020
Hi @maxfield-allison just to let you know I ended up doing something else so I dont believe this is relevant to me any longer. I am maintaining a list in a different way now and wanted to let you know so you dont waste any time on this.
Pete
pallebone
on 22 Jul 2020
Thanks Pete, what did you end up going with instead?
maxfield-allison
on 22 Jul 2020
I decided to create my own blocklist which I manually update each day and am going to try maintain it here:
https://github.com/pallebone/StrictBlockPAllebone
I found a way to do it fairly quickly each day manually, and this allows me to make a blocklist for other people to use so I will probably just run with this going forward. Hope thats ok. Sorry man.
pallebone
on 22 Jul 2020
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.
OPNsense-bot
on 6 Jan 2021
Related issues
BPtLNfxZWo
路
3Comments
Stephanowicz
路
6Comments
Kimotu
路
4Comments
gauthig
路
3Comments
linuxmail
路
4Comments
Most helpful comment
@pallebone, This would be a good starting point. I'll install Fail2ban on my docker host in the coming days and see about setting something up and writing a script. Once I have it completed I'll push it to a repo on my profile and link it here for you.