How to auto blacklist IP after a blocked attempt

Here to help

How to auto blacklist IP after a blocked attempt

I have a couple of meraki mx84 firewalls and lately I have had several attempts to attack one of our webservers.

These attempts have been blocked, but after an attempt is blocked, this IP should be blacklisted automatically.

Is it possible to do this configuration?

Thank You

4 Replies 4
Kind of a big deal
Kind of a big deal

There's no native function for the MX to do this, but you could make a script that reads syslog messages and upon seeing one for a given attempt, can perform API calls to create a rule blocking this IP.

With that said, I would look at using a 3rd party service such as cloudflare to perform web server protection.

Thanks for the suggestion. Given this firewall limitation, the approach might actually be to read the log and block every IP that makes more than x attempts.

Kind of a big deal
Kind of a big deal

This is a complicated subject, people often think that the firewall is the only security mechanism.
I guess the first thing to ask yourself is, do you need all of your servers to be published on the internet?
Ever thought of restricting access to specific IPs or even specific countries?
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

This is not the only defense mechanism. And regarding the exposed servers, it's just a webserver.

As for the zone restriction, it is already in place. But if in an authorized country there is an attack attempt, there will be endless queries because there is no automatic blocking.

I will try to develop something local as suggested.

Thanks for the suggestions!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.