Wondering if anyone on here has done anything with Automation of OPNSense firewall ? In particular the ability to dynamically add rule sets etc ?
What i am planning on doing is scanning an number of log files on an internal system (spam filter) and find attackers who are trying to brute force LDAP logins - once i have those i then want to ban those addresses at the firewall level to stop them even being able to access to LDAP login page fo the Spam Filter.
If not looks like i will have to be the trailblazer in NR. !
It uses Suricata which is good but only works (without a lot of messing around and continual breaking) on the Firewall itself. i.e. it looks at packets coming through the firewall and at attacks on the firewall. It will not however monitor the logs on an internal spam filter and look for invalid LDAP logins and then ban them.
So the spam filter is based on Exim and we allow LDAP entry to this box for people to check their quarantine emails, manage their spam filters etc.
When a brute force intrusion is attempted - the attackers just cycle through a dictionary of harvested usernames and then start brute forcing password attempts - rather than the logs fill up with this - we want to monitor and after say 3 attempts by a user we will take that IP and put it into the firewall on a banned filter list and that stops them hitting the spam filter any longer.
In a recent update to OpnSense they enabled that capability to dynamically add firewall rules to their rule lists so thought we would address it this way.
OK, just trying to make sure that you've exhausted more dedicated options because Node-RED isn't really security certified. Though I know that some organisations have had security audits done, I think that, if you wanted to rely on Node-RED as part of your security setup, you should use a dedicated instance and get your own security audit.