Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to auto blacklist IP after a blocked attempt

Imperio
Here to help
‎Apr 5 2023 12:49 AM
‎Apr 5 2023 12:49 AM

How to auto blacklist IP after a blocked attempt

I have a couple of meraki mx84 firewalls and lately I have had several attempts to attack one of our webservers.

These attempts have been blocked, but after an attempt is blocked, this IP should be blacklisted automatically.

Is it possible to do this configuration?

Thank You

Labels:
0 Kudos
Subscribe
4 Replies 4
Brash
Kind of a big deal
Kind of a big deal
‎Apr 5 2023 1:50 AM
‎Apr 5 2023 1:50 AM

There's no native function for the MX to do this, but you could make a script that reads syslog messages and upon seeing one for a given attempt, can perform API calls to create a rule blocking this IP.

With that said, I would look at using a 3rd party service such as cloudflare to perform web server protection.

0 Kudos
Subscribe
In response to Brash
Imperio
Here to help
‎Apr 5 2023 6:24 AM
‎Apr 5 2023 6:24 AM

Thanks for the suggestion. Given this firewall limitation, the approach might actually be to read the log and block every IP that makes more than x attempts.

0 Kudos
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 5 2023 3:49 AM
‎Apr 5 2023 3:49 AM

This is a complicated subject, people often think that the firewall is the only security mechanism.
 
I guess the first thing to ask yourself is, do you need all of your servers to be published on the internet?
 
Ever thought of restricting access to specific IPs or even specific countries?
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Imperio
Here to help
‎Apr 5 2023 6:27 AM
‎Apr 5 2023 6:27 AM

This is not the only defense mechanism. And regarding the exposed servers, it's just a webserver.

As for the zone restriction, it is already in place. But if in an authorized country there is an attack attempt, there will be endless queries because there is no automatic blocking.

I will try to develop something local as suggested.

Thanks for the suggestions!

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.