Terminus Logo

Question ? Blacklist IP through phpAPI and terminate active connections  

 Having a self-defending (Passive) web-site, I noticed that executing a script to actually close a firewall takes too long if the attack onto the website is executedthrough parallel requests.
Even though one can limit the WebServer and the firewall to allow only a certain number of communication channels in, it is not enough - as firewalls tend to let pass already opened sessions. This part will require the firewall to actively terminate open connections from the offending IP Address.
This is exactly what the attached script does. It uses the routerOS phpAPI to connect to the firewall and directly lock (during the request) the remote IP out and at the same time terminate all open connections that may be coming from that IP.
This script is just an example on how to do it. Everyone can adapt it for himself.

Note: The attached script is just a prototype. On my site it has been integrated into a function and is called on demand.

Results are as follow [IP does not exist in blacklist yet]: 

 > Entered IP 10.10.10.246 into blacklist 
   - Removed active connection *8D41 [10.10.10.246:62000 -> 172.168.0.2:80] 
   - Removed active connection *8D4D [10.10.10.246:62001 -> 172.168.0.2:80] 
   - Removed active connection *8D55 [10.10.10.246:3000 -> 172.168.0.2:53] 
   - Removed active connection *8D59 [10.10.10.246:61997 -> 172.168.0.2:80] 
   - Removed active connection *8D5B [10.10.10.246:61999 -> 172.168.0.2:80] 
   - Removed active connection *8D62 [10.10.10.246:61996 -> 172.168.0.2:80] 
   - Removed active connection *8D75 [10.10.10.246:61998 -> 172.168.0.2:80]


Results are as follow [IP does exist in blacklist]: 

 !!! failure: already have such entry in firewall [IP 10.10.10.246]
   - Removed active connection *8C7A [10.10.10.246:61921 -> 172.168.0.2:80] 
   - Removed active connection *8C7B [10.10.10.246:61920 -> 172.168.0.2:80] 
   - Removed active connection *8C7C [10.10.10.246:61919 -> 172.168.0.2:80] 
   - Removed active connection *8C7D [10.10.10.246:61918 -> 172.168.0.2:80] 
   - Removed active connection *8C7E [10.10.10.246:61923 -> 172.168.0.2:80] 
   - Removed active connection *8C7F [10.10.10.246:61922 -> 172.168.0.2:80]

 
Entered by admin on Friday, 22 April 2016 @ 15:47:34  
Linux on Routerboards - Routerboard RBxxxAH, # Hits: 29782

Attach   blacklist_terminate.php  [ 3,487 bytes - application/octet-stream ]

This page was issued from the Terminus Website:
https://www.solsys.org

The URL for this page is:
https://www.solsys.org/mod.php?mod=faq&op=view&faq_id=164


  Close