Hello.

I would like to share my experience fighting with SPAM and bruteforce.

Some time ago I realized I have a lot of connection with bruteforce attempts and lot of SPAM connections to my mail server, another issue was having lot of web connections that scans my webservers for vulnerabilities. This connections are not triggered like "intrusions" as it's only request for specific URL and it is clean and legitimate from firewall side, like:

I was looking for some global solution and started looking fail2ban software. It’s a log parser with ability to do some actions, like applying some shell commands, it exist for Unix/Linux. For the first time I have implemented traffic block with firewall on server, it was CentOS with iptables. The solution was OK, but from the Firepower perspective I still was seeing a lot of connections without understanding of which was good and which not.

The solution was to get fail2ban list into Firepower system.

First I was surfing web to make my fail2ban write to a file:

In the “action” file of fail2ban (there should be action.d, filter.d and jail.d folders with specific files in it) I have added a line under original actionban

echo <ip> >> /usr/local/www/blacklist_html.html

And for the actionunban

sed -i.bak '/<ip>/d' /usr/local/www/blacklist_html.html

This change made my fail2ban to write to file blacklist_html.html all the IPs that was triggered based on fail2ban rules (folder filter.d). Next action was to add this list to my firepower and create according rules.

Objects > Security Intelligence > Network List and Feeds > Add Network Lists and Feeds (right top)

Select type as Feed and fulfill the table:

Name – the one you like (I named my mail_smtp_block)

Type – Feed

Feed URL – Here I used my Mail server’s IP and a path to my blacklist_html.html file (Apache was already installed on my Mail server)

MD5 URL – Leave it blank

Update Frequency – 30 minutes, unfortunately 30 minutes is the smallest update frequency, hope Cisco will improve here soon.

Next I have created a rule to block connections based on newly created feed:

Policies > Access Control Policy > Edit your policy > Security Intelligence

Now find your feed in the left side, right where Available objects > Networks, click on it and then click Available Zones > any and click on Add to Blacklist.

If you need you can create as much as you need feeds and add them here, for example if you have separate webserver and mailserver you can create 2 feeds, or you would like to have separate list for spam and bruteforce etc.

That’s it, now if my fail2ban finds an attacker (SPAM, bruteforce or HTTP scan) it writes IP to a file and my Firepower grabs the file through web. This solution provides possibility to block all compromised IPs on Firepower layer. This brings an ability to build nice reports or maybe your security officer would like to have a real-time tool to see the situation. Another good part is that we save small piece of our RAM and CPU on our mail and web servers. This solution with some changes could be also used for blocking DoS/DDoS type attacks. 

I am not publishing here my system configs or my fail2ban configs as all of it you can find on the web, my mail server was FreeBSD and my webserver was CentOS with installed Apache and fail2ban, fail2ban was parsing httpd and mail logs for specific line of log and if it matches the regex it grabs the IP and writes it to a file.

Hope this will help you to save your time and put more attention to your Firepower system.

Leave a comment if you have any questions.

Abdullo Salikhov
Dushanbe, Tajikistan.