python-Script (Python 3.9) to fill up a table in opensense with IP-addresses of Visitors doing bad Things on your Server.

Give your opnsense Firewall the possibility to protect your Server, accessible through an opnsense Firewall from the Internet, against Visitors, doing the wrong Things on your server or who will try to get on the System.

There are two Scripts working together

• One Script is collecting the IP-Addresses from a Server and wrtie them to a Text-File. In the folder "input-examples" you can find a php-Script as one expample.
• The python-Script "server2pf.py" is running as a cronjob. It will get the IP-Addresses from the /tmp/ip-list.txt and checks these Addresses with the entry of an external Alias of the opnsense.

The Input of the python-Script is a simple Text-File with IP-Addresses. These can be generated by a Server which is accessable from the Internet and shoud be protected by an opnsense.

As a simple example, I have added my error-php-Page, which is doing the following:

This php-File is collecting the Client-IP-Address and appends it into a File in the temp-Folder (complete-Path is /tmp/ip-list.txt). After that, the Script is executing a redirection to an error-Page called error.html located in the same folder.

I think this is one of the most common use. But you can also create your own Script, which is collection external IP-Addresses and writes them into a Text-File for your Server.

The intension is to block IP-Addresses at the opnsense firewall.

So with this File you can configure a Webserver (in my case this is a nginx, but you can also use an other Webserver). Configure it in this way, that this php-File should be executed when an error is forced by a visitor. This can be the situation when a visitor wants to access Folder or files which are not on the Server, just to produce a fault or to get more Information about this Server.

All you have to to, is to check the path of the Text-File (Line 11) and the "Landing-Page" after this Script has finished its work (Line 16).

I have this file on my nginx to protect the access to the root-Folder for more than a Year installed and it works great. All Web-Applications are installed in Subfolders.

In the second Step you have to to a little Bit more.

On your opnsense, you have to create an alias of the Type "External (advanced)". These can be used for API-Access. I call it "server2pf".

Create a Firewall-rule on your WAN-Interface. Choose for action "Block", as source select the Alias "server2pf" and if you like check the Log-Option to see the Blocking in the Live View.

Save this rule. My Advice is, to place it on the top of your Rule-List, because this Rule should be check as soon as possible. So, don't be afraid, the Rule will block IP-Addresses from this Alias trying to get access. So at the begining and after a reboot the list is empty, nothing will be blocked. :)

After the creation of the rules, you have to get access via API. This will be done by a user on the opnsense you should create for this purpose. Go to System -> Access -> Users and create a User, which is only for the API-Access. I call it, you gessed right, "server2pf".

Generated a scrambled Password, because you don't need it.

The Group must be "admin", because only them can add IP-Addresses to Alias-Tables via API.

Scroll down to the Option "API keys" and click on the Plus-Symbol in this row to create a new API-key.

Download the Textfile apikey.txt. Now you can see an Entry the the "API keys" row. Save this User.

Now we have finished the Creation of the API-User.

Download a valid Certificate from your opnsense. If you do not have one or if you want to use one only for API-Access create a new one.

As you can see in teh python-File server2pf.py, there is a Part called "Server2PF". This is the only Part, you have to configure.

I have tried to give all Information you need to configure the Script at the right Place.

We will configure the Script with our Data collected so far. Begin with the python Directory in Line 39 (the line begins with "self.server2ip = ..."):

• Line 39 -> 'ip-list': Enter here the path to the IP-List.txt-File (in our example this was /tmp/ip-list.txt)
• Line 40 -> 'external_host': Enter here the FQDN or the URL of your Server.
• Line 41 -> 'alias': Here must be entered the Name of the External Alias, we have created on the opnsense (in my example this was "server2pf").
• Line 42 -> 'url_host': Replace <IP of opnsense> with the LAN-IP-Address of your opnsense (we expect it to be connected to your LAN. :) )
• Line 46 -> 'key': Replace <API-Key of User> with the content of the first line of the downloaded "apikey.txt"-File from your API-User (everything right of "key=")
• Line 47 -> 'secret': Replace <Secret of User> with the content of the second line of the downloaded "apikey.txt"-File from your API-User (everything right of "secret=")
• Line 48 -> 'fw-cert': Replace /path/to/Certificate.pem with the path, where you want to store the certificate on the Server. Please beware not to save it in the webroot-Folder!

Now save the file and transfer the python-File server2pf.py and the certificate .pem-File onto the server.

Move the .pem-File to the folder you have entered into the python-File at Line 48.

Now you can test the Script.

Just create a File in the Folder (my example /tmp/ip-list.txt) and enter an IP-Address. It should be an IP-Addrress from the Internet. You can also enter a private IP-address in a new line, if you wish.

Save the file.

Now, run the python-Script.

If everything is correct, the Script should enter only the external IP-Addrress in the Alias-Table ("server2pf" from my example).

Now connect to the GUI of the opnsense to check if all is working.

Go to Firewall -> Diagnostics -> Aliases. Select the external Alias "server2pf". Now you should see the IP-Address added by the API. If you want to remove the IP-Address, just click on the Bin on the right.

If there are Problems just go to System -> Log Files -> Backend and search for the name of the external Alias ("server2pf"). In the Dropdownfield right of the Searchfield choose Notice, Informal or Debug, then opnsense will tell you why the IP-Address couldn't be added to the Alias.

So. all the testing was successful, now you can create a cronjob to run the python-Script regulary. I execute the Script every 2 Minutes.

So, only when there is a Text-File with IP-Addresses and if theses IP-Addresses are not already in the Alias-Table on the opnsense, then the new IP-Addresses will be added to the Alias-Table. Otherwise nothing will be done.

So, we are collecting IP-Addresses and block them. When you have checked the Logging in the Rule, you should see a Blocking in the Live view. Depending how many bad accesses you have, the more Blocking will be coming up. But Blocking at the Firewall WAN-Site is better than bad access on you Server.

If you like, you can run the Setup in this configuration, but it is advisable, that you clean the Alias-Table regulary. I have configured a custom Crojob on the opnsense. This cronjob is running every day and deletes IP-Addresses which are older than one week. So this IP-Addresses are blocked for a hole week only.

This can be done by the follwing Script created in the Folder /usr/local/opnsense/service/conf/actions.d/. I called it actions_server2pf.conf. The content of this File is:

[start]
command:/sbin/pfctl
parameters:-t server2pf -T expire 604800
type:script
description:Cleanup server2pf
message:cleanup server2pf.

To update the System and to tell the GUI, that there is a new File for the cron, you have to execute the following command:

service configd restart

Now, on the WebGUI, you can go to System -> Settings -> Cron. Create a new Cronjob, configure the time and Date as you like and select the Entry "Cleanup server2pf" at the Line "Command". Save this Settings and apply them to the System.

At the End you have created a new Layer of Security to your Server. Visitors trying to do bad things only have a timeslot of 2 Minutes (or the Time you have configured in the cron for the server2pf-python-Script). After that they will be blocked directly at the firewall.

As already told, the Content of this external Alias will not be stored at a reboot. The Alias will be cleaned. But by the time it will fill up again when the opnsense is up and running again. Trust me. ;)

Good Luck.

Robert Friemer@ friem[media]