Having a self-defending (Passive) web-site, I noticed that executing a script to actually close a firewall takes too long if the attack onto the website is executedthrough parallel requests.
Even though one can limit the WebServer and the firewall to allow only a certain number of communication channels in, it is not enough - as firewalls tend to let pass already opened sessions. This part will require the firewall to actively terminate open connections from the offending IP Address.
This is exactly what the attached script does. It uses the routerOS phpAPI to connect to the firewall and directly lock (during the request) the remote IP out and at the same time terminate all open connections that may be coming from that IP. This script is just an example on how to do it. Everyone can adapt it for himself.
Note: The attached script is just a prototype. On my site it has been integrated into a function and is called on demand.
Results are as follow [IP does not exist in blacklist yet]:
> Entered IP 10.10.10.246 into blacklist
- Removed active connection *8D41 [10.10.10.246:62000 -> 172.168.0.2:80]
- Removed active connection *8D4D [10.10.10.246:62001 -> 172.168.0.2:80]
- Removed active connection *8D55 [10.10.10.246:3000 -> 172.168.0.2:53]
- Removed active connection *8D59 [10.10.10.246:61997 -> 172.168.0.2:80]
- Removed active connection *8D5B [10.10.10.246:61999 -> 172.168.0.2:80]
- Removed active connection *8D62 [10.10.10.246:61996 -> 172.168.0.2:80]
- Removed active connection *8D75 [10.10.10.246:61998 -> 172.168.0.2:80]
Results are as follow [IP does exist in blacklist]:
!!! failure: already have such entry in firewall [IP 10.10.10.246]
- Removed active connection *8C7A [10.10.10.246:61921 -> 172.168.0.2:80]
- Removed active connection *8C7B [10.10.10.246:61920 -> 172.168.0.2:80]
- Removed active connection *8C7C [10.10.10.246:61919 -> 172.168.0.2:80]
- Removed active connection *8C7D [10.10.10.246:61918 -> 172.168.0.2:80]
- Removed active connection *8C7E [10.10.10.246:61923 -> 172.168.0.2:80]
- Removed active connection *8C7F [10.10.10.246:61922 -> 172.168.0.2:80]
|
Entered by admin on Friday, 22 April 2016 @ 15:47:34
|
Linux on Routerboards - Routerboard RBxxxAH, # Hits: 29782
|
[ 3,487 bytes - application/octet-stream ]
|