So I’ve been thinking of creating a post of how to block ips when they try to do something bad to your system, for example a exploit related to a wordpress plugin on your dmz-webserver. It’s quite easy and extremely effective. Just setup a profile that will automaticly block the ip when it tries to do bad things.
So first of all, create a TAG. Name it something related to blocked-ips
![](http://wp.12p.no/wp-content/uploads/2019/10/image.png)
Create a Dynamic type Address Group for this TAG:
![](http://wp.12p.no/wp-content/uploads/2019/10/image-4.png)
Then create a LogForwarding profile:
![](http://wp.12p.no/wp-content/uploads/2019/10/image-1.png)
The result should be something like this:
![](http://wp.12p.no/wp-content/uploads/2019/10/image-2.png)
You now have a setup that matches the severity Cirtical of the logtype Threat, that adds the sourceip of the traffic-log to the BLOCKED-HOSTS tag.
Now you can use your own incomming rule and add this log-forwarding profile to it. (BE SURE that you have a threat profile active on the rule)
![](http://wp.12p.no/wp-content/uploads/2019/10/image-3-1024x355.png)
To block these IP’s you need to create a Rule above the inbound rule to block these IPs:
![](http://wp.12p.no/wp-content/uploads/2019/10/image-5-1024x148.png)
And you are good to go. Get rid of those idiots (for a selected time atleast)