0

I have a cisco pix 515 as firewall for some web servers. What I want to do is to automatically add banned ips to the firewall to block traffic at the network level.

At the present time I have a software hooked on the web server software, monitoring repeated failed logins, floods or any suspicious activities. The missing piece is a way to block the traffic when an ip is banned.

I think the best solution would be to dynamically add the ip to an ACL on the PIX in front of the web server.

Is it possible to do that via SNMP or via any other means? The web servers are all running UNIX.

Thanks.

2 Answers2

1

if you know the ip that you want to block you can use an 'expect' script to add a 'shun ' command or the comparable acl

you can get a feel for this by looking at the following thread :

http://www.mail-archive.com/ossec-list@googlegroups.com/msg01942.html

johnh
  • 595
  • 4
  • 9
  • The hack detection takes place at the application level, then the application should be able to blacklist the IP on the firewall. –  Dec 23 '09 at 00:23
  • I did it with expect and shun, works fine. –  Dec 24 '09 at 11:19
0

I'm not aware of a way to do this manually on the pix. If you can upgrade your PIX to an ASA, you could get the IPS module in your ASA which will issue the SHUN command automatically for IPs that are trying to hack.

GregD
  • 8,713
  • 1
  • 24
  • 36
  • I've never done this, but it should be doable over SNMP, or possibly with expect, or some more code. – Cian Dec 22 '09 at 23:38