topic Re: Blocking TOR exit nodes with Python and R80.10 API in API / CLI Discussion

Blocking TOR exit nodes with Python and R80.10 API

Jesús_Toledano — Mon, 12 Feb 2018 06:37:49 GMT

Hi all,

I wrote a script in Python using our API. The goal was clear, block around 1k IP addresses automatically and in a visual way, not through fw sam rules

You can execute this script every day manually or you can schedule it using Crontab for example.

Tu use it in your environment you just need to change these variables at the begining and execute it!

You can find the script here: GitHub - toledanosjesus/chkp

After the first execution of the script, you just need to configure correctly your firewall policy. You need to have something similar to this:

Be aware this script is using python 2.7. You'll need to modify it a bit in case you want to use python 3.x

Enjoy!

Re: Blocking TOR exit nodes with Python and R80.10 API

Robert_Decker — Mon, 12 Feb 2018 09:08:34 GMT

Very nice, good work!

Please note that we have a python development SDK for API developers on github -

GitHub - CheckPoint-APIs-Team/cp_mgmt_api_python_sdk: Check Point API Python Development Kit

It is an open source and includes usage examples.

Robert.

Re: Blocking TOR exit nodes with Python and R80.10 API

G_W_Albrecht — Mon, 12 Feb 2018 09:24:13 GMT

I like this one, too !

Re: Blocking TOR exit nodes with Python and R80.10 API

HeikoAnkenbrand — Sun, 04 Mar 2018 09:51:16 GMT

nice script

Re: Blocking TOR exit nodes with Python and R80.10 API

Chris_Atkinson — Sun, 24 Nov 2019 08:45:40 GMT

Nice script and probably best used with drop templates / optimized drops (sk90861) enabled and with some consideration of rule position.

Re: Blocking TOR exit nodes with Python and R80.10 API

HeikoAnkenbrand — Sun, 24 Nov 2019 09:26:01 GMT

Better use SecureXL penalty box. It is a mechanism that performs an early drop of packets arriving from suspected sources.

Controls the IP blacklist in SecureXL. The blacklist blocks all traffic to and from the specified IP addresses. It is an easy way to block certain IP addresses quickly and eficiently on SecureXL level.

The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy or SAM rule to drop the packets. This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level.

For example, the traffic from and to IP 1.2.3.4 should be blocked at SecureXL level.

On gateway set the IP 1.2.3.4 to Secure XL blacklist:

# fwaccel dos blacklist -a 1.2.3.4

On gateway displays all IP's on the SecureXL blacklist:

# fwaccel dos blacklist -s

On gateway delete the IP 1.2.3.4 from Secure XL blacklist:

# fwaccel dos blacklist -d 1.2.3.4

More to SecureXL penalty box read here :

R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“

I have created a script to execute this command on all gateways at the same time or on a singel gateway.

Re: Blocking TOR exit nodes with Python and R80.10 API

Josef_Pecher — Sun, 24 Nov 2019 09:31:24 GMT

nice

Re: Blocking TOR exit nodes with Python and R80.10 API

quannl12 — Mon, 13 Apr 2020 18:02:10 GMT

Nice. Does it still work with the R80.40 version?