This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2022-02-10 12:57 AM
Jump to solution

Blacklisting rogue IPs

We are stablish soc monitoring in our setup and recently we noticed around 800 IPs hitting stealth and default deny rules.. i intend to blacklist these IPs by creating an incoming and outgoing deny acl at the top for these..my question is : is this the right approach to blacklist rogue IPs and is there any script or way to configure blacklisting for 800 IPs at once?

0 Kudos
1 Solution

Accepted Solutions
Juan_
Collaborator
‎2022-02-10 03:42 AM
Jump to solution

To add a large list of IPs to block use fwaccel dos deny feature.  

Just create a file on below directory and follow the instructions 

Deny List location: 

$FWDIR/conf/deny_lists/ 

What it looks like: 

45.83.66.159 

45.83.66.160 

45.83.66.166 

45.83.66.167 

45.83.66.192 

  

To load it: 

fwaccel dos deny -L 

  

To flush it: 

fwaccel dos deny -F 

  

To check contents 

fwaccel dos deny -s 

  

To see statistics: 

fwaccel dos stats get 

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

View solution in original post

17 Replies
Danny
Champion Champion
Champion
‎2022-02-10 01:04 AM
Jump to solution

I recommend the following thread (read until the end) :

HowTo: Block IoT scanners like Shodan, Censys, Shadowserver, PAN Expanse etc.

 

(1)
LostBoY
Advisor
‎2022-02-10 03:34 AM
In response to Danny
Jump to solution

This is very helpful.. something i can definitely include in my setup. However, right now i am looking to block a list of ip addresses shared by SOC but i am not sure what is the most efficient way to do so

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-02-10 02:00 AM
Jump to solution

Use a Generic Data Center Object:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Danny
Champion Champion
Champion
‎2022-02-10 02:55 AM
In response to G_W_Albrecht
Jump to solution

As @LostBoY mentioned SOC monitoring he is most likely interested in IoC Management as mentioned in my link above.

0 Kudos
LostBoY
Advisor
‎2022-02-10 03:35 AM
In response to G_W_Albrecht
Jump to solution

This looks like what i am looking for but unfortunately i am on R80.40.. anyway i can enforce this on 80.40 ?

0 Kudos
Juan_
Collaborator
‎2022-02-10 03:49 AM
In response to LostBoY
Jump to solution

Check "Manually Uploading Threat Indicator Files through SmartConsole"

 

In the R80.40 Threat prevention administration guide.

The CSV syntax is really easy.

 

0 Kudos
Juan_
Collaborator
‎2022-02-10 03:42 AM
Jump to solution

To add a large list of IPs to block use fwaccel dos deny feature.  

Just create a file on below directory and follow the instructions 

Deny List location: 

$FWDIR/conf/deny_lists/ 

What it looks like: 

45.83.66.159 

45.83.66.160 

45.83.66.166 

45.83.66.167 

45.83.66.192 

  

To load it: 

fwaccel dos deny -L 

  

To flush it: 

fwaccel dos deny -F 

  

To check contents 

fwaccel dos deny -s 

  

To see statistics: 

fwaccel dos stats get 

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

LostBoY
Advisor
‎2022-02-10 04:35 AM
In response to Juan_
Jump to solution

Thanks for this..one query here..when the IP in this list is blocked how does the log looks like ? i mean when it is being denied by stealth rule the log payload suggests the name of the rule etc.

0 Kudos
Juan_
Collaborator
‎2022-02-10 04:46 AM
In response to LostBoY
Jump to solution

It shows like a normal drop, with this text below.
Unfortunately none of the fields that distinguish the feature seam indexed/searchable.

 

Id Generated By Indexer:false
First: true
Sequencenum: 127
Source: 45.83.65.9
Destination: 
IP Protocol: 1
Securexl Message: The packet's source IP is in the deny list (SecureXL device 0)
Feature Name: DOS/Rate Limiting Deny List
Comment: Deny list
Action: Drop
Type: Log
Policy Name: Standard
Policy Management: 
Policy Date: 2022-02-08T15:50:19Z
Blade: Firewall
Origin: checkpoint
Service: ICMP
Product Family: Access
Interface: 
Description: ICMP Traffic Dropped from 45.83.65.9 to 

Sh3r
Participant
‎2022-03-15 11:34 AM
In response to Juan_
Jump to solution

Hello.. where exactly are these logs recorded ? can i see this in SmartConsole menu ? 

0 Kudos
Juan_
Collaborator
‎2022-03-16 02:03 AM
In response to Sh3r
Jump to solution

Yes, if there are connections to any of your blacklisted IPs it will appear in smart console > Logs&Monitor> logs

It will appear like a drop. See my post above.

I haven't figured out how to make a search related to the feature though, I think its not possible.

0 Kudos
Sh3r
Participant
‎2022-03-16 02:34 AM
In response to Juan_
Jump to solution

ok..i created a blacklist by using the syntax above and added one IP there.. i then tried to ping that IP from a host behind my firewall..but in the logs its getting dropped via default deny rule.. shudnt it be blocked via blacklist feature ?

0 Kudos
LostBoY
Advisor
‎2022-03-14 06:17 AM
In response to Juan_
Jump to solution

This i have to apply in individual GWs and not in the management server ? and in VSX environment this will be applied in each VS ?

also, this blocks blacklists both incoming and outgoing requests from the mentioned ip right ?

0 Kudos
Juan_
Collaborator
‎2022-03-16 02:06 AM
In response to LostBoY
Jump to solution

  • Apply on Gateway
  • Each VS 
  • Incoming is fully blocked
  • Outgoing is not fully blocked
    • Replies to the outgoing connection will be dropped
0 Kudos
Sh3r
Participant
‎2022-03-16 02:35 AM
In response to Juan_
Jump to solution

what does replied to outgoing connection means ? if someone initiated a connection from inside towards a blacklist ip..it wudnt get blocked ?

0 Kudos
Juan_
Collaborator
‎2022-03-16 02:48 AM
In response to Sh3r
Jump to solution

I stand corrected, it does block eitherway according to sk:

IP Deny List

The IP deny list feature is the recommended method for blocking all traffic to/from a specific IP ad...

shanil420
Contributor
‎2023-08-29 08:47 AM
In response to Juan_
Jump to solution

Hi Juan,

Is there a way i can block malicious Ip addresses from internet on Locally managed R81.10 (Checkpoint 1550). 

Here are the sample of log events. 

 

2023 Aug 29 20:21:10 MHT-Gateway-ID-auth.info sshd: Received disconnect from 180.101.88.234 port 23639:11: [preauth]
2023 Aug 29 20:21:10 MHT-Gateway-ID-auth.info sshd: Disconnected from 180.101.88.234 port 23639 [preauth]
2023 Aug 29 20:22:27 MHT-Gateway-ID-authpriv.alert sshd: pam_tally2(sshd:auth): Tally overflowed for user root
2023 Aug 29 20:22:27 MHT-Gateway-ID-authpriv.notice sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.234 user=root
2023 Aug 29 20:22:29 MHT-Gateway-ID-auth.info sshd: Failed password for root from 180.101.88.234 port 34416 ssh2
2023 Aug 29 20:22:29 MHT-Gateway-ID-authpriv.alert sshd: pam_tally2(sshd:auth): Tally overflowed for user root
2023 Aug 29 20:22:29 MHT-Gateway-ID-authpriv.notice sshd: pam_tally2(sshd:auth): user root (0) tally 65534, deny 10
2023 Aug 29 20:22:29 MHT-Gateway-ID-auth.warning sshd: [WebUI] administrator user 'root' is locked, try login after 30 seconds
2023 Aug 29 20:22:31 MHT-Gateway-ID-auth.info sshd: Failed password for root from 180.101.88.234 port 34416 ssh2
2023 Aug 29 20:22:33 MHT-Gateway-ID- authpriv.alert sshd: pam_tally2(sshd:auth): Tally overflowed for user root
2023 Aug 29 20:22:33 MHT-Gateway-ID-authpriv.notice sshd: pam_tally2(sshd:auth): user root (0) tally 65534, deny 10
2023 Aug 29 20:22:33 MHT-Gateway-ID-auth.warning sshd: [WebUI] administrator user 'root' is locked, try login after 30 seconds
2023 Aug 29 20:22:35 MHT-Gateway-ID-auth.info sshd: Failed password for root from 180.101.88.234 port 34416 ssh2
2023 Aug 29 20:22:37 MHT-Gateway-ID-auth.info sshd: Received disconnect from 180.101.88.234 port 34416:11: [preauth]
2023 Aug 29 20:22:37 MHT-Gateway-ID-auth.info sshd: Disconnected from authenticating user root 180.101.88.234 port 34416 [preauth]
2023 Aug 29 20:22:37 MHT-Gateway-ID-authpriv.notice sshd: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.234 user=root
2023 Aug 29 20:22:39 MHT-Gateway-ID-auth.info sshd: Invalid user admin1 from 157.245.248.106 port 49494
2023 Aug 29 20:22:39 MHT-Gateway-ID-authpriv.err sshd: pam_tally2(sshd:auth): pam_get_uid; no such user
2023 Aug 29 20:22:39 MHT-Gateway-ID-authpriv.warning sshd: pam_unix(sshd:auth): check pass; user unknown
2023 Aug 29 20:22:39 MHT-Gateway-ID-authpriv.notice sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.245.248.106
2023 Aug 29 20:22:40 MHT-Gateway-ID-auth.info sshd: Failed password for invalid user admin1 from 157.245.248.106 port 49494 ssh2
2023 Aug 29 20:22:41 MHT-Gateway auth.info sshd: Received disconnect from 157.245.248.106 port 49494:11: Bye Bye [preauth]

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events