I am working on a basic IPS written in Python, which should protect a webserver. This is done for a school project, so it's mostly just a "proof of concept" kind of thing. The thought is that the IPS shall block any IP addresses that sends requests that does not fall within the model for normal behaviour for a number of minutes. My initial thought was to use scapy to do this, but I've come to realize that while it is possible to read the incoming data with scapy it will probably not be possible to block the traffic from reaching the web server. One idea is to use iptables to block the traffic, but that solution seems a bit clumpsy. We have also had a look at mitmproxy, but it seems this has to run on a separate computer, so that won't be an option. My question is if there is an easier way to do this than adding and removing iptables rules every 15 minutes?
Asked
Active
Viewed 240 times
0
Cœur
- 37,241
- 25
- 195
- 267
EscalatedQuickly
- 400
- 4
- 22
-
why would you add/remove rules every 15 minutes when you are running a webserver? – Marc Bredt Jan 06 '16 at 18:08
-
If you only want to block off non-conforming IPs hardly anything can be simpler than iptables. There is a handy [`python-iptables`](http://ldx.github.io/python-iptables/) interface to `libiptc` available so you don't even have to deal with its default CLI and take the performance penalties. – zwer Apr 02 '18 at 10:28