OpnSense Firewall Automation

Wondering if anyone on here has done anything with Automation of OPNSense firewall ? In particular the ability to dynamically add rule sets etc ?

What i am planning on doing is scanning an number of log files on an internal system (spam filter) and find attackers who are trying to brute force LDAP logins - once i have those i then want to ban those addresses at the firewall level to stop them even being able to access to LDAP login page fo the Spam Filter.

If not looks like i will have to be the trailblazer in NR. !

Craig

2 Likes

I thought it had built-in intrusion protection? Or is that just the business version?

It uses Suricata which is good but only works (without a lot of messing around and continual breaking) on the Firewall itself. i.e. it looks at packets coming through the firewall and at attacks on the firewall. It will not however monitor the logs on an internal spam filter and look for invalid LDAP logins and then ban them.

So the spam filter is based on Exim and we allow LDAP entry to this box for people to check their quarantine emails, manage their spam filters etc.

When a brute force intrusion is attempted - the attackers just cycle through a dictionary of harvested usernames and then start brute forcing password attempts - rather than the logs fill up with this - we want to monitor and after say 3 attempts by a user we will take that IP and put it into the firewall on a banned filter list and that stops them hitting the spam filter any longer.

In a recent update to OpnSense they enabled that capability to dynamically add firewall rules to their rule lists so thought we would address it this way.

Craig

Sounds similar to fail2ban? I'm not familiar with OPNsense so probably can't really help. But there are certainly other potential tools I think.

Yep Fail2ban will do it at the spam filter level - but is not playing nicely with the exim logs - plus trying to keep the stuff at the edge of the network.

Craig

OK, just trying to make sure that you've exhausted more dedicated options because Node-RED isn't really security certified. Though I know that some organisations have had security audits done, I think that, if you wanted to rely on Node-RED as part of your security setup, you should use a dedicated instance and get your own security audit.

1 Like

there is this for reference... OPNSense API Alias toggle (flow) - Node-RED (nodered.org)

...uses the OPNsense API

Good one thanks - will play and report back

Craig