News: This forum is now permanently frozen.
Pages: [1]
Topic: Submit black- or blocklists to monowall  (Read 6415 times)
« on: February 01, 2013, 13:57:41 »
ewuewu *
Posts: 7

Hello List,

We have several servers running behind monowall. On some of these servers we are collecting info’s from clients with unwanted behavior, like portscans, sql-injections and so on.
It would be nice if there would be a way to send IP-addresses of those attackers to monowall, to block them for further connections.
Another feature I would appreciate is, to remove those IP’s from the list after a while.

Has anyone of you an idea, how I could manage such a mechanism with monowall?
« Reply #1 on: February 01, 2013, 17:05:28 »
Јаневски ***
Posts: 153

I think that this thread could be moved to Feature Requests.

Anyhow, You could write a script an push the data from the server to m0n0's web interface, in order to add block list, and then after a while to flush, but then again why bother doing that when You could apply the rule on the server itself, and flush after a while.
I've done such scenario with Linux quite some time ago (only endpoint servers involved), technically it worked great but then I realized it was not a good idea and removed it entirely.

Anyhow, in my opinion, m0n0 is light router/firewall solution with the potential of being a core router with some modifications. As it is, addition of advanced Intrusion Detection Solution/Intrusion Prevention Solution would add up unecessary weight of the project, bigger memory footprint, higher CPU demand, bigger attack surface and lower reliability factor, thus steering the m0n0 project out of course.
Server security should be implemented on service level and service-application level while in development.

That's my opinion regarding this matter.

PS: I've recently had such problem with an e-banking web service because someone thought that putting "@" character among the other characters in password input string in HTTPS POST requests is "a sin" (security threat). At the end i ended up not using their service anymore.

If the service system is really built well enough It's okay to give a short error message, at least once, it won't compromise system security.
If the system is flawed, then adding additional layers of abstraction is a waste of money - time/space, better rebuild it from scratch, or at least from the latest stable version.
« Last Edit: February 01, 2013, 20:11:42 by Јаневски »

« Reply #2 on: February 02, 2013, 09:46:51 »
ewuewu *
Posts: 7

Hello Јаневски

thank you for your reply. I agree that monowall is lightweight firewall and we should keep small footprints. It is not my intention to convert monowall into an IDS.

But where else is the best place to block unwanted clients from a net if it is not on the firewall? I think blocking is the ultimate core feature of a firewall.

My intention is, if I detect hacking, sniffing, grabbing or something else on one of my servers behind the firewall, I would save the other servers from being attacked cause it leads to unwanted traffic and performance usage.

That’s why my ideas is if I detect unwanted behavior on one server, I would like to have an opportunity to block those unwanted attackers from my whole net.
You are right, detecting attacks and the creation- and removing-process for blacklists Is not the job of monowall, but blocking itself is from my point of view definitely a firewall job.
So, that’s why I would appreciate a simple way to send those lists to the monowall.

By the way, how can I move this thread to feature request?

Pages: [1]
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines