Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor
Jump to solution

Blacklisting rogue IPs

We are stablish soc monitoring in our setup and recently we noticed around 800 IPs hitting stealth and default deny rules.. i intend to blacklist these IPs by creating an incoming and outgoing deny acl at the top for these..my question is : is this the right approach to blacklist rogue IPs and is there any script or way to configure blacklisting for 800 IPs at once?

0 Kudos
1 Solution

Accepted Solutions
Juan_
Collaborator

To add a large list of IPs to block use fwaccel dos deny feature.  

Just create a file on below directory and follow the instructions 

Deny List location: 

$FWDIR/conf/deny_lists/ 

What it looks like: 

45.83.66.159 

45.83.66.160 

45.83.66.166 

45.83.66.167 

45.83.66.192 

  

To load it: 

fwaccel dos deny -L 

  

To flush it: 

fwaccel dos deny -F 

  

To check contents 

fwaccel dos deny -s 

  

To see statistics: 

fwaccel dos stats get 

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

View solution in original post

17 Replies
Danny
Champion Champion
Champion

I recommend the following thread (read until the end) :

HowTo: Block IoT scanners like Shodan, Censys, Shadowserver, PAN Expanse etc.

 

(1)
LostBoY
Advisor

This is very helpful.. something i can definitely include in my setup. However, right now i am looking to block a list of ip addresses shared by SOC but i am not sure what is the most efficient way to do so

0 Kudos
G_W_Albrecht
Legend
Legend
Danny
Champion Champion
Champion

As @LostBoY mentioned SOC monitoring he is most likely interested in IoC Management as mentioned in my link above.

0 Kudos
LostBoY
Advisor

This looks like what i am looking for but unfortunately i am on R80.40.. anyway i can enforce this on 80.40 ?

0 Kudos
Juan_
Collaborator

Check "Manually Uploading Threat Indicator Files through SmartConsole"

 

In the R80.40 Threat prevention administration guide.

The CSV syntax is really easy.

 

0 Kudos
Juan_
Collaborator

To add a large list of IPs to block use fwaccel dos deny feature.  

Just create a file on below directory and follow the instructions 

Deny List location: 

$FWDIR/conf/deny_lists/ 

What it looks like: 

45.83.66.159 

45.83.66.160 

45.83.66.166 

45.83.66.167 

45.83.66.192 

  

To load it: 

fwaccel dos deny -L 

  

To flush it: 

fwaccel dos deny -F 

  

To check contents 

fwaccel dos deny -s 

  

To see statistics: 

fwaccel dos stats get 

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

LostBoY
Advisor

Thanks for this..one query here..when the IP in this list is blocked how does the log looks like ? i mean when it is being denied by stealth rule the log payload suggests the name of the rule etc.

0 Kudos
Juan_
Collaborator

It shows like a normal drop, with this text below.
Unfortunately none of the fields that distinguish the feature seam indexed/searchable.

 

Id Generated By Indexer:false
First: true
Sequencenum: 127
Source: 45.83.65.9
Destination: 
IP Protocol: 1
Securexl Message: The packet's source IP is in the deny list (SecureXL device 0)
Feature Name: DOS/Rate Limiting Deny List
Comment: Deny list
Action: Drop
Type: Log
Policy Name: Standard
Policy Management: 
Policy Date: 2022-02-08T15:50:19Z
Blade: Firewall
Origin: checkpoint
Service: ICMP
Product Family: Access
Interface: 
Description: ICMP Traffic Dropped from 45.83.65.9 to 

Sh3r
Participant

Hello.. where exactly are these logs recorded ? can i see this in SmartConsole menu ? 

0 Kudos
Juan_
Collaborator

Yes, if there are connections to any of your blacklisted IPs it will appear in smart console > Logs&Monitor> logs

It will appear like a drop. See my post above.

I haven't figured out how to make a search related to the feature though, I think its not possible.

0 Kudos
Sh3r
Participant

ok..i created a blacklist by using the syntax above and added one IP there.. i then tried to ping that IP from a host behind my firewall..but in the logs its getting dropped via default deny rule.. shudnt it be blocked via blacklist feature ?

0 Kudos
LostBoY
Advisor

This i have to apply in individual GWs and not in the management server ? and in VSX environment this will be applied in each VS ?

also, this blocks blacklists both incoming and outgoing requests from the mentioned ip right ?

0 Kudos
Juan_
Collaborator
  • Apply on Gateway
  • Each VS 
  • Incoming is fully blocked
  • Outgoing is not fully blocked
    • Replies to the outgoing connection will be dropped
0 Kudos
Sh3r
Participant

what does replied to outgoing connection means ? if someone initiated a connection from inside towards a blacklist ip..it wudnt get blocked ?

0 Kudos
Juan_
Collaborator
shanil420
Contributor

Hi Juan,

Is there a way i can block malicious Ip addresses from internet on Locally managed R81.10 (Checkpoint 1550). 

Here are the sample of log events. 

 

2023 Aug 29 20:21:10 MHT-Gateway-ID-auth.info sshd: Received disconnect from 180.101.88.234 port 23639:11: [preauth]
2023 Aug 29 20:21:10 MHT-Gateway-ID-auth.info sshd: Disconnected from 180.101.88.234 port 23639 [preauth]
2023 Aug 29 20:22:27 MHT-Gateway-ID-authpriv.alert sshd: pam_tally2(sshd:auth): Tally overflowed for user root
2023 Aug 29 20:22:27 MHT-Gateway-ID-authpriv.notice sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.234 user=root
2023 Aug 29 20:22:29 MHT-Gateway-ID-auth.info sshd: Failed password for root from 180.101.88.234 port 34416 ssh2
2023 Aug 29 20:22:29 MHT-Gateway-ID-authpriv.alert sshd: pam_tally2(sshd:auth): Tally overflowed for user root
2023 Aug 29 20:22:29 MHT-Gateway-ID-authpriv.notice sshd: pam_tally2(sshd:auth): user root (0) tally 65534, deny 10
2023 Aug 29 20:22:29 MHT-Gateway-ID-auth.warning sshd: [WebUI] administrator user 'root' is locked, try login after 30 seconds
2023 Aug 29 20:22:31 MHT-Gateway-ID-auth.info sshd: Failed password for root from 180.101.88.234 port 34416 ssh2
2023 Aug 29 20:22:33 MHT-Gateway-ID- authpriv.alert sshd: pam_tally2(sshd:auth): Tally overflowed for user root
2023 Aug 29 20:22:33 MHT-Gateway-ID-authpriv.notice sshd: pam_tally2(sshd:auth): user root (0) tally 65534, deny 10
2023 Aug 29 20:22:33 MHT-Gateway-ID-auth.warning sshd: [WebUI] administrator user 'root' is locked, try login after 30 seconds
2023 Aug 29 20:22:35 MHT-Gateway-ID-auth.info sshd: Failed password for root from 180.101.88.234 port 34416 ssh2
2023 Aug 29 20:22:37 MHT-Gateway-ID-auth.info sshd: Received disconnect from 180.101.88.234 port 34416:11: [preauth]
2023 Aug 29 20:22:37 MHT-Gateway-ID-auth.info sshd: Disconnected from authenticating user root 180.101.88.234 port 34416 [preauth]
2023 Aug 29 20:22:37 MHT-Gateway-ID-authpriv.notice sshd: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.234 user=root
2023 Aug 29 20:22:39 MHT-Gateway-ID-auth.info sshd: Invalid user admin1 from 157.245.248.106 port 49494
2023 Aug 29 20:22:39 MHT-Gateway-ID-authpriv.err sshd: pam_tally2(sshd:auth): pam_get_uid; no such user
2023 Aug 29 20:22:39 MHT-Gateway-ID-authpriv.warning sshd: pam_unix(sshd:auth): check pass; user unknown
2023 Aug 29 20:22:39 MHT-Gateway-ID-authpriv.notice sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.245.248.106
2023 Aug 29 20:22:40 MHT-Gateway-ID-auth.info sshd: Failed password for invalid user admin1 from 157.245.248.106 port 49494 ssh2
2023 Aug 29 20:22:41 MHT-Gateway auth.info sshd: Received disconnect from 157.245.248.106 port 49494:11: Bye Bye [preauth]

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events