Various of my machines run code to detect intrusion attempts (scans, password guessing etc) and in the past I used to just add rules to my firewall to stop the waste of bandwidth.
To achieve the same thing with monowall I use the following PERL code to add rules to m0n0wall's ipfw firewall rule set. Please note: this is not supported or endorsed by the m0n0wall developers it uses an interface that is unsupported.
#!/usr/bin/perl
# Use at your own risk
# This is unsupported and potentially dangerous
# No Warranty express or implied is made for this technique or code
# Maurice Castro (c) 2009
# This code may be copied and modified
use strict;
use warnings;
use LWP;
my $server = "fw.example.com:80";
my $url = "http://$server/exec.php";
my $debug = 0;
my $ip = $ARGV[0];
my $ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->credentials(
$server,
'.',
'fwadmin' => 'fwpasswd'
);
my @form = [
"txtCommand" => "ipfw add 1 drop tcp from $ip to any"
];
my $response = $ua->post($url, \@form);
if (!$response->is_success)
{
print "$url error: " . $response->status_line ."\n";
exit 1;
}
if ($response->content_type ne 'text/html')
{
print "Invalid content type at $url: ". $response->content_type ."\n";
exit 2;
}
if ($response->content =~ /^ERR:/)
{
my $errno = $response->content;
$errno =~ s/^ERR: //;
$errno =~ s/,.*//;
my $errdesc = $response->content;
$errdesc =~ s/^[^,]*, //;
print "$errno error: " . $errdesc ."\n";
exit 3;
}
print $response->content if ($debug);
0;
The code: blockatfw.pl