TippingPoint
cancel
Showing results for 
Search instead for 
Did you mean: 

What's the fastest way to manually block an IP permanently?

ad327
Occasional Contributor

What's the fastest way to manually block an IP permanently?

When watching the events log, if I spot a single IP that's bombarding random addresses in my subnet with SSH login requests, I'd like to be able to block that IP permanently, but I can't find a foolproof way to do that. I've tried "create response" to quarantine the user, but that doesn't seem to work all the time (my threshold is set to 10 hits in 10mins, but some IPs appear in the log with thousands of 'hits' every minute but they don't seem to trigger the quarantine response.

 

What I'd really like is a quick keystroke that will not only block the source machine, but set it in fire and disable the bank accounts of the user. If anyone can provide help, I'd be very grateful.

2 REPLIES
JohnnyTel
Occasional Visitor

Re: What's the fastest way to manually block an IP permanently?

We have decent success with Responder and Quarantine applied to 5601 SSH logins. 10 Attempts over 15 minutes.
I'm not sure why yours would not work every time.

Since the Responder runs on the SMS it has to see those events before it can apply the quarantine. The initial entry of brute force hits can be high, but the block should kick in . The SMS is polling the IPS every 5 seconds for hits.

Have you looked into the Action item Quarantine? - then it will run on the IPS. Check with TAC if this will work for what you want, I haven't worked with it yet.

Regards,
John
HP_JNatt
Visitor

Re: What's the fastest way to manually block an IP permanently?

Filter 5601 is the SSH Attempt filter you can configure not only the threesholds, but the filter itself for the IP.  To my knowledge I do not think you have the ability to do the later part of your request without integration of SIEM and other tools.