topic Re: Blacklisting rogue IPs in Firewall and Security Management

Blacklisting rogue IPs

LostBoY — Thu, 10 Feb 2022 08:57:07 GMT

We are stablish soc monitoring in our setup and recently we noticed around 800 IPs hitting stealth and default deny rules.. i intend to blacklist these IPs by creating an incoming and outgoing deny acl at the top for these..my question is : is this the right approach to blacklist rogue IPs and is there any script or way to configure blacklisting for 800 IPs at once?

Re: Blacklisting rogue IPs

Danny — Thu, 10 Feb 2022 09:05:03 GMT

I recommend the following thread (read until the end) :

HowTo: Block IoT scanners like Shodan, Censys, Shadowserver, PAN Expanse etc.

Re: Blacklisting rogue IPs

G_W_Albrecht — Thu, 10 Feb 2022 10:00:37 GMT

Use a Generic Data Center Object:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Re: Blacklisting rogue IPs

Danny — Thu, 10 Feb 2022 10:55:39 GMT

As @LostBoY mentioned SOC monitoring he is most likely interested in IoC Management as mentioned in my link above.

Re: Blacklisting rogue IPs

LostBoY — Thu, 10 Feb 2022 11:34:35 GMT

This is very helpful.. something i can definitely include in my setup. However, right now i am looking to block a list of ip addresses shared by SOC but i am not sure what is the most efficient way to do so

Re: Blacklisting rogue IPs

LostBoY — Thu, 10 Feb 2022 11:35:20 GMT

This looks like what i am looking for but unfortunately i am on R80.40.. anyway i can enforce this on 80.40 ?

Re: Blacklisting rogue IPs

Juan_ — Thu, 10 Feb 2022 11:42:21 GMT

To add a large list of IPs to block use fwaccel dos deny feature.

Just create a file on below directory and follow the instructions

Deny List location:

$FWDIR/conf/deny_lists/

What it looks like:

45.83.66.159

45.83.66.160

45.83.66.166

45.83.66.167

45.83.66.192

To load it:

fwaccel dos deny -L

To flush it:

fwaccel dos deny -F

To check contents

fwaccel dos deny -s

To see statistics:

fwaccel dos stats get

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk112454#Blacklist%20Configuration

Re: Blacklisting rogue IPs

Juan_ — Thu, 10 Feb 2022 11:49:11 GMT

Check "Manually Uploading Threat Indicator Files through SmartConsole"

In the R80.40 Threat prevention administration guide.

The CSV syntax is really easy.

Re: Blacklisting rogue IPs

LostBoY — Thu, 10 Feb 2022 12:35:55 GMT

Thanks for this..one query here..when the IP in this list is blocked how does the log looks like ? i mean when it is being denied by stealth rule the log payload suggests the name of the rule etc.

Re: Blacklisting rogue IPs

Juan_ — Thu, 10 Feb 2022 12:46:21 GMT

It shows like a normal drop, with this text below.
Unfortunately none of the fields that distinguish the feature seam indexed/searchable.

Id Generated By Indexer:false
First: true
Sequencenum: 127
Source: 45.83.65.9
Destination:
IP Protocol: 1
Securexl Message: The packet's source IP is in the deny list (SecureXL device 0)
Feature Name: DOS/Rate Limiting Deny List
Comment: Deny list
Action: Drop
Type: Log
Policy Name: Standard
Policy Management:
Policy Date: 2022-02-08T15:50:19Z
Blade: Firewall
Origin: checkpoint
Service: ICMP
Product Family: Access
Interface:
Description: ICMP Traffic Dropped from 45.83.65.9 to

Re: Blacklisting rogue IPs

LostBoY — Mon, 14 Mar 2022 13:17:24 GMT

This i have to apply in individual GWs and not in the management server ? and in VSX environment this will be applied in each VS ?

also, this blocks blacklists both incoming and outgoing requests from the mentioned ip right ?

Re: Blacklisting rogue IPs

Sh3r — Tue, 15 Mar 2022 18:34:43 GMT

Hello.. where exactly are these logs recorded ? can i see this in SmartConsole menu ?

Re: Blacklisting rogue IPs

Juan_ — Wed, 16 Mar 2022 09:03:34 GMT

Yes, if there are connections to any of your blacklisted IPs it will appear in smart console > Logs&Monitor> logs

It will appear like a drop. See my post above.

I haven't figured out how to make a search related to the feature though, I think its not possible.

Re: Blacklisting rogue IPs

Juan_ — Wed, 16 Mar 2022 09:06:34 GMT

Apply on Gateway
Each VS
Incoming is fully blocked
Outgoing is not fully blocked
- Replies to the outgoing connection will be dropped

Re: Blacklisting rogue IPs

Sh3r — Wed, 16 Mar 2022 09:34:53 GMT

ok..i created a blacklist by using the syntax above and added one IP there.. i then tried to ping that IP from a host behind my firewall..but in the logs its getting dropped via default deny rule.. shudnt it be blocked via blacklist feature ?

Re: Blacklisting rogue IPs

Sh3r — Wed, 16 Mar 2022 09:35:54 GMT

what does replied to outgoing connection means ? if someone initiated a connection from inside towards a blacklist ip..it wudnt get blocked ?

Re: Blacklisting rogue IPs

Juan_ — Wed, 16 Mar 2022 09:48:43 GMT

I stand corrected, it does block eitherway according to sk:

IP Deny List

The IP deny list feature is the recommended method for blocking all traffic to/from a specific IP address. Because the IP Deny list is checked very early in the packet flow, it has superior performance. The deny list is capable of supporting millions of IP addresses. The actual upper limit is determined by available memory.

Re: Blacklisting rogue IPs

shanil420 — Tue, 29 Aug 2023 15:47:55 GMT

Hi Juan,

Is there a way i can block malicious Ip addresses from internet on Locally managed R81.10 (Checkpoint 1550).

Here are the sample of log events.

2023 Aug 29 20:21:10 MHT-Gateway-ID-auth.info sshd: Received disconnect from 180.101.88.234 port 23639:11: [preauth]
2023 Aug 29 20:21:10 MHT-Gateway-ID-auth.info sshd: Disconnected from 180.101.88.234 port 23639 [preauth]
2023 Aug 29 20:22:27 MHT-Gateway-ID-authpriv.alert sshd: pam_tally2(sshd:auth): Tally overflowed for user root
2023 Aug 29 20:22:27 MHT-Gateway-ID-authpriv.notice sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.234 user=root
2023 Aug 29 20:22:29 MHT-Gateway-ID-auth.info sshd: Failed password for root from 180.101.88.234 port 34416 ssh2
2023 Aug 29 20:22:29 MHT-Gateway-ID-authpriv.alert sshd: pam_tally2(sshd:auth): Tally overflowed for user root
2023 Aug 29 20:22:29 MHT-Gateway-ID-authpriv.notice sshd: pam_tally2(sshd:auth): user root (0) tally 65534, deny 10
2023 Aug 29 20:22:29 MHT-Gateway-ID-auth.warning sshd: [WebUI] administrator user 'root' is locked, try login after 30 seconds
2023 Aug 29 20:22:31 MHT-Gateway-ID-auth.info sshd: Failed password for root from 180.101.88.234 port 34416 ssh2
2023 Aug 29 20:22:33 MHT-Gateway-ID- authpriv.alert sshd: pam_tally2(sshd:auth): Tally overflowed for user root
2023 Aug 29 20:22:33 MHT-Gateway-ID-authpriv.notice sshd: pam_tally2(sshd:auth): user root (0) tally 65534, deny 10
2023 Aug 29 20:22:33 MHT-Gateway-ID-auth.warning sshd: [WebUI] administrator user 'root' is locked, try login after 30 seconds
2023 Aug 29 20:22:35 MHT-Gateway-ID-auth.info sshd: Failed password for root from 180.101.88.234 port 34416 ssh2
2023 Aug 29 20:22:37 MHT-Gateway-ID-auth.info sshd: Received disconnect from 180.101.88.234 port 34416:11: [preauth]
2023 Aug 29 20:22:37 MHT-Gateway-ID-auth.info sshd: Disconnected from authenticating user root 180.101.88.234 port 34416 [preauth]
2023 Aug 29 20:22:37 MHT-Gateway-ID-authpriv.notice sshd: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.234 user=root
2023 Aug 29 20:22:39 MHT-Gateway-ID-auth.info sshd: Invalid user admin1 from 157.245.248.106 port 49494
2023 Aug 29 20:22:39 MHT-Gateway-ID-authpriv.err sshd: pam_tally2(sshd:auth): pam_get_uid; no such user
2023 Aug 29 20:22:39 MHT-Gateway-ID-authpriv.warning sshd: pam_unix(sshd:auth): check pass; user unknown
2023 Aug 29 20:22:39 MHT-Gateway-ID-authpriv.notice sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.245.248.106
2023 Aug 29 20:22:40 MHT-Gateway-ID-auth.info sshd: Failed password for invalid user admin1 from 157.245.248.106 port 49494 ssh2
2023 Aug 29 20:22:41 MHT-Gateway auth.info sshd: Received disconnect from 157.245.248.106 port 49494:11: Bye Bye [preauth]