This repository provides a FastNetMon Community Edition integration that uses NETCONF to automatically blackhole attacking IPs on a Juniper SRX firewall by installing and removing /32 discard static routes.
This has only been tested on:
- Debian 12 OS
- Juniper SRX340
It supports:
- Automatic bans from FastNetMon
- Optional commit confirmed (auto-expiring bans – recommended)
- Explicit unban support
- Email notifications (Not fully tested)
- NETCONF over SSH (no CLI scraping)
Traffic → FastNetMon Flow server → notify_attack.sh → Python NETCONF → Juniper SRX
- FastNetMon detects an attack
notify_attack.shis triggered- Python script uses NETCONF to:
- BAN: add
/32 discardroute - UNBAN: remove the route
- BAN: add
- Optional
commit confirmedensures no stuck blackholes
If you don’t already have FastNetMon running:
Official documentation:
👉 https://fastnetmon.com/install/
wget https://install.fastnetmon.com/installer -Oinstaller
sudo chmod +x installer
sudo ./installer -install_community_editionVerify service status:
systemctl status fastnetmon# Python NETCONF script
cp srx_netconf_blackhole.py /usr/local/bin/
chmod +x /usr/local/bin/srx_netconf_blackhole.py
# FastNetMon notify script
cp notify_attack.sh /usr/local/bin/
chmod +x /usr/local/bin/notify_attack.shEdit the FastNetMon configuration:
nano /etc/fastnetmon.confEnsure this line exists:
notify_script_path: /usr/local/bin/notify_attack.shRestart FastNetMon:
systemctl restart fastnetmon- Triggered when FastNetMon detects an attack
- Adds a
/32 discardstatic route on the SRX - Uses NETCONF with candidate configuration and commit
- Triggered when FastNetMon clears the attack
- Removes the static route
- Always uses a normal commit (never commit confirmed)
| Parameter | Description |
|---|---|
ban / unban |
Action to perform |
--host |
SRX management IP |
--user |
NETCONF username |
--ip |
IPv4 address to ban/unban |
| Parameter | Description |
|---|---|
--ssh-key |
Path to SSH private key (recommended) |
--password |
Password authentication (not recommended) |
| Parameter | Default | Description |
|---|---|---|
--timeout |
120 | NETCONF RPC timeout (seconds) |
--commit-confirmed |
ON | Enable commit confirmed (BAN only) |
--no-commit-confirmed |
OFF | Disable commit confirmed |
--confirm-timeout |
600 | Auto-rollback time (seconds) |
--hostkey-verify |
OFF | Enable SSH host key verification |
⚠️ Important:
commit confirmedis automatically disabled for unban, even if enabled globally, to prevent rollback loops.
At the top of notify_attack.sh:
EMAIL_NOTIFY="me@example.com"
SRX_HOST="" # 192.168.0.1
SRX_USER="" #
SRX_KEY="" # /root/.ssh/id_rsa
USE_COMMIT_CONFIRMED=true
CONFIRM_TIMEOUT=600| Value | Behavior |
|---|---|
true |
Auto-expiring bans (recommended) |
false |
Permanent bans until explicit unban |
set system services netconf ssh
set system login user fastnetmon class super-user
set system login user fastnetmon authentication ssh-rsa "ssh-rsa AAAA..."
commit
🔒 You may later replace
super-userwith a restricted class if desired.
From the FastNetMon server:
ssh -p 830 fastnetmon@SRX_MGMT_IP -s netconfYou should see NETCONF XML capabilities returned.
python3 /usr/local/bin/srx_netconf_blackhole.py ban \
--host {SRX_MGMT_IP} --user fastnetmon --ssh-key {SSH KEY} \
--ip {ATTACKER IP}Verify on SRX:
show configuration routing-options static | display set | match {ATTACKER IP}
hping3 -S --flood -p 443 <target_ip>Monitor logs:
journalctl -u fastnetmon -f
journalctl -t fastnetmon-notify -f
tail -f /var/log/fastnetmon-srx-netconf.log- BGP RTBH (upstream blackholing)
- Batch multiple IPs per commit
- IPv6 support
- Routing-instance isolation
- Rate-limit commits for large attacks
- FastNetMon Community Edition - https://github.com/pavel-odintsov
This is community-driven automation. Always test in a lab environment before deploying to production.