windowsnerd.com

notes from an admin for himself. you can read it if you want.

Entries Comments


Custom Search






Windows and OSSEC ipsec blocks

17 February, 2010 (19:33) | OS, security

Today I started toying with the idea of using OSSEC active response in Windows. My goal is to block a whole IP, you can do port or traffic type as you wish, if anyone wants that let me know.  The first piece of work to share:

netsh ipsec static add policy description=”ossec block list”

netsh ipsec static add filter filterlist=”ossecfilter” srcaddr= 69.89.20.50 dstaddr=me protocol=tcp mirrored=yes

netsh ipsec static add rule policy=”ossec” filterlist=”ossecfilter” filteraction=block desc=”list of ips to block”

netsh ipsec static set policy assign=y

This blocks windowsnerd.com

Add another entry for slashdot. Ipsec doesn’t like having an empty entry so leave an addy in there to seed it for a delete in another step:

netsh ipsec static add filter filterlist=”ossecfilter” srcaddr= 216.34.181.45 dstaddr=me protocol=tcp mirrored=yes

Now if you open the ipsec MMC, you will see an applied ipsec policy, crack it open and you will see both entries for each IP.

Try going to windowsnerd.com, slashdot.com and another page. The first two will not work. All traffic has been blocked

Unblock –

netsh ipsec static delete filter filterlist=”ossecfilter” srcaddr= 69.89.20.50 dstaddr=me protocol=tcp mirrored=yes

Repeat – now you can block and unblock by running the static add and static delete command over and over. It will update the policy you created in the first step. Not quite as cool as adding to hosts.deny and firewall, but the same end result.

This example is for use on an application like OSSEC. If you desire, you can specify per port, IP addy, DNS name, whatever you want.

«

  »

Write a comment