How do you add sites or IP addresses to the intrusion prevention blocked list? You can add to the white list, but not the black list?
Share this post:
Responses (1)
-
Accepted Answer
Do you really mean the IPS or the Attack Detector? Either way they are just use firewall rules in combination with ipset. It looks like the snortsam_EGRESS and snortsam_INGRESS ipset lists just contain lists of IP's so they should be easily hackable. snortsam_SELF is a list of ip,port,ip so I don't know what should go in there. I would not however go down this route as it looks like all entries time out after 3600s so you won't get a permanent block.
You could go down the Custom Firewall rule route for individual firewall rules or do something like I used to do until I became bored with it. Create a file like /etc/clearos/firewall.d/95-custom_blocks and in it put something like:
Adjust the firewall to suit what you want. The ipset blocks can be either IP address or subnets.ipset create custom-block hash:net -exist
ipset flush custom-block
if [ "$FW_PROTO" == "ipv4" ]; then true
$IPTABLES -I INPUT -m set --match-set custom-block src -m state --state NEW -j DROP
#$IPTABLES -I INPUT -m set --match-set custom-block src -m state --state NEW -j LOG --log-prefix "Custom_Block"
fi
ipset add -exist custom-block 1.160.40.0/22
ipset add -exist custom-block 1.162.168.0/21
ipset add -exist custom-block 1.162.232.0/21
ipset add -exist custom-block 41.86.155.53
ipset add -exist custom-block 52.174.95.241
etc....
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »