Something fundamental that we can do in our infrastructures is to tell our perimeter firewalls to block any attempt to access our organizations from malicious networks, Botnet networks, by reputations, or IP addresses that may be on blocklists or blacklists, among others, to avoid unnecessary 😉 risks

Recently we saw a very interesting way to protect our machines with Crowdsec, but today we are going to see something simpler to apply and totally complementary. There are large communities, Organizations, or bots that are involved in detecting and creating what are called blacklists. Public IP addresses that are detected for carrying out attacks, or that are compromised by a botnet, That do scans, They look for vulnerabilities…

Well, a good idea is to protect access to our organization by putting a rule in the perimeter firewall that denies any access from the blocklists to which we want to subscribe. This post will be based on Fortigate, but obviously it applies to any other manufacturer that allows you to add lists of IP addresses.

Like everything in life, we will start from less to more, A recommendation (It depends on the type of organization you are and what you publish) Well, that's it, add reliable blacklists or blocklists, that are updated daily, avoid lists that may give false positives at the beginning, or it depends on the service you have published to the Internet as there are lists aimed at protecting HTTPS servers, FTP, SMTP…

We can start with sites like these, that the lists catalog, they group them together, etc… for example, the lists they publish in FireHOL dedicated to cybercrime, in a column on the left you will see them quickly, Categorized by Type… or you can see them in their GitHub also, Very well documented, with direct access to the file that is updated periodically….

Well, Enough chatter and let's start, Yes, in our Fortigate we will “Security Fabric” > “External Connectors” > “Create New”, we will be able to create our connector against a list of IP addresses published on the Internet.

Select “IP Address”,

We give the connector a name, We enable it, you will not normally have authentication, So we disabled that part, and we will have to add the URL of the blocklist; that and add the periodicity with which we want this list to be updated, how often do we want it to be downloaded from the Internet. “OK” And we got it,

And well, and so it would be if we add a few, the truth is that they are not necessary or so many, Nor are you in particular, in addition, I am sure that I have some overlapping, But, well, My firewall is not affected by it, go.

And all that's left is to create a rule or several rules in our firewall, from the WAN interfaces to where we have published the resources, usually a DMZ. Well, there, The first rule will be this, a denial of the blacklists or blocklists that we are interested in.

Leaving something like this,

Well, I hope that these types of posts help or inspire you to provide and implement security improvements in your organizations, you don't know the curious one, Boring, bots on the internet… you will see if you enable the logs of that rule. It's amazing, If you collect the logs, you will see how the accesses to our published resources go down, and even on our domain controllers, if we have resources on the internet that authenticate with our AD, what an IIS can be like, an SMTP from an Exchange… To hallucinate.

As always and I'll leave you, Let's not wait for them to attack us, To make any mishap happen to us, We have to be prepared, Have contingency plans, Minimize risks, etc… May it go well for you, Be happy and eat partridges, A hug!