HPE Community
TippingPoint
1753524 Members
5611 Online
108795 Solutions
New Discussion юеВ

What's the fastest way to manually block an IP permanently?

 
ad327
Occasional Contributor

тАО02-07-2012 04:51 AM

тАО02-07-2012 04:51 AM

What's the fastest way to manually block an IP permanently?

When watching the events log, if I spot a single IP that's bombarding random addresses in my subnet with SSH login requests, I'd like to be able to block that IP permanently, but I can't find a foolproof way to do that. I've tried "create response" to quarantine the user, but that doesn't seem to work all the time (my threshold is set to 10 hits in 10mins, but some IPs appear in the log with thousands of 'hits' every minute but they don't seem to trigger the quarantine response.

 

What I'd really like is a quick keystroke that will not only block the source machine, but set it in fire and disable the bank accounts of the user. If anyone can provide help, I'd be very grateful.

0 Kudos
2 REPLIES 2
JohnnyTel
Occasional Visitor

тАО02-13-2012 02:03 PM

тАО02-13-2012 02:03 PM

Re: What's the fastest way to manually block an IP permanently?

We have decent success with Responder and Quarantine applied to 5601 SSH logins. 10 Attempts over 15 minutes.
I'm not sure why yours would not work every time.

Since the Responder runs on the SMS it has to see those events before it can apply the quarantine. The initial entry of brute force hits can be high, but the block should kick in . The SMS is polling the IPS every 5 seconds for hits.

Have you looked into the Action item Quarantine? - then it will run on the IPS. Check with TAC if this will work for what you want, I haven't worked with it yet.

Regards,
John
0 Kudos
HP_JNatt
Visitor

тАО02-23-2012 07:06 AM

тАО02-23-2012 07:06 AM

Re: What's the fastest way to manually block an IP permanently?

Filter 5601 is the SSH Attempt filter you can configure not only the threesholds, but the filter itself for the IP.  To my knowledge I do not think you have the ability to do the later part of your request without integration of SIEM and other tools.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.