Home > Uncategorised > Adaptive Firewalls

Adaptive Firewalls

February 2nd, 2006 Leave a comment Go to comments

I’m thinking of building an adaptive firewall on my Linux router at home.

I’ve noticed that people are scanning the ports on the computer, and running HTTP requests to see if they can trip several known security flaws (e.g. in AwStats).

I did a little reading up on how to build an IPTables based adaptive firewall, and I’m beginning to concoct some ideas in my brain.

Basically, what I want to do, is constantly scan the requests that are made to Apache, and maybe some other server apps, and build some rules to pick out naughty behaviour. Once I’ve done that, I can get the IP address of the offender, and build a list of banned IP addresses. I’ll only want to “ban” (i.e. block at the firewall) those IPs for a set amount of time (e.g. 24 hours), but the response time of the firewall must be quick in order to catch these people in the act, and so I must rebuild my IPTables rules in reasonable time. After the 24 hours is up, I then need to clear any expired IP addresses down again whilst still keeping blocked IPs and my other firewall rules in place.

I’m therefore thinking that producing a series of scripts based around Cron is not suitable – you can’t schedule it to work more that once every minute. It could mean that I need to produce some server program (either using a UDP socket, or UNIX-type pipe) to receive IP addresses as soon as possible, and to store the data for 24 hours.

Anyone got any good suggestions?

Categories: Uncategorised Tags: , , , ,
  1. No comments yet.
  1. No trackbacks yet.