Thread: Re: [mod-security-users] Question about iptables
Brought to you by:
victorhora,
zimmerletw
From: Reindl H. <h.r...@th...> - 2013-09-18 17:39:15
Attachments:
signature.asc
|
Am 18.09.2013 19:07, schrieb Jose Pablo Valcárcel Lázaro: > First of all, sorry to post here, but I believe that mod_security with iptables makes harder for hackers to gain > resources access. > > I was wondering if someone could tell me if he/she has be able to use iptables strings modules with hitcount > modules. Why? Easy to answer. You could be able to limit access to php forms using string (but for performance Deep > Packet Inspection is not the best approach) and using hitting count. > > You could block more than 5 chances to gain access to example_form.php. > > Is it a bad idea? Mod security has brute-force rules? > > I know that you can develop new rules to approach this solution or use some other alternatives as captchas or > honeypots fields. generally whatever can be done in the earliest possible layer should be done there security is always a layered thing (network, firewall, application firewall, application) things like rate-control and limit concurrent connectios from a source-ip should be done in iptables or if possible even a device before the server it *can* be done with modsec, but where ever you can catch attacks a layer before do so |
From: Jose P. V. L. <pab...@gm...> - 2013-09-19 08:38:43
|
Hi again. After some researching time I found someone who made the same question about iptables, string option and hitlimit account: http://www.governmentsecurity.org/forum/topic/32728-iptables-throttle-by-string-matching/ iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --string '/csp/handshake?ct=application%2Fjavascript' --set iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --string '/csp/handshake?ct=application%2Fjavascript' --update --seconds 5--hitcount 20 -j DROP server:/home/user# iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --string '/csp/handshake?ct=application%2Fjavascript' --set iptables v1.4.2: Unknown arg `(null)' Try `iptables -h' or 'iptables --help' for more information. As you see he had problems when he tried to apply those rules, so I kept looking for some similar rules and I find it when I saw a prevention amplification dns attack article here: http://blog.rootshell.ir/ Straight to iptables snippet code from that link I see these lines: iptables -A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 48 --to 65535 -m recent --set --name dnsanyquery --rsource iptables -A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 48 --to 65535 -m recent --rcheck --seconds 60 --hitcount 5 --name dnsanyquery --rsource -j DROP So finally from that rules I guess some one could modify it in order to block brute-force attacks not only with mod_security rules :) : iptables -A INPUT -p udp -m udp --dport 80 -m string --string "wp-admin.php" -m recent --set --name blockwordpress --rsource iptables -A INPUT -p udp -m udp --dport 80 -m string --string "wp-admin.php" -m recent --rcheck --seconds 60 --hitcount 5 --name blockwordpress --rsource -j DROP I haven´t tested it but if someone in a development environment could try and use it I would thankful to hear that works!! Kind regards, 2013/9/18 Jose Pablo Valcárcel Lázaro <pab...@gm...> > Thanks Reindl :). > > Kind Regards > El 18/09/2013 19:44, "Reindl Harald" <h.r...@th...> escribió: > >> Am 18.09.2013 19:07, schrieb Jose Pablo Valcárcel Lázaro: >> > First of all, sorry to post here, but I believe that mod_security with >> iptables makes harder for hackers to gain >> > resources access. >> > >> > I was wondering if someone could tell me if he/she has be able to use >> iptables strings modules with hitcount >> > modules. Why? Easy to answer. You could be able to limit access to php >> forms using string (but for performance Deep >> > Packet Inspection is not the best approach) and using hitting count. >> > >> > You could block more than 5 chances to gain access to example_form.php. >> > >> > Is it a bad idea? Mod security has brute-force rules? >> > >> > I know that you can develop new rules to approach this solution or use >> some other alternatives as captchas or >> > honeypots fields. >> >> generally whatever can be done in the earliest possible layer should be >> done there >> security is always a layered thing (network, firewall, application >> firewall, application) >> >> things like rate-control and limit concurrent connectios from a source-ip >> should be done in iptables or if possible even a device before the server >> >> it *can* be done with modsec, but where ever you can catch attacks a >> layer before do so >> >> >> >> >> >> ------------------------------------------------------------------------------ >> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! >> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, >> SharePoint >> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack >> includes >> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> >> |
From: Reindl H. <h.r...@th...> - 2013-09-19 08:58:31
Attachments:
signature.asc
|
i posted my iptables rules many times on several lists you need to adjust the variables and test it in your environment but that is from a production infrastructure with weekly audits "iptables -A" may work with "iptables -I" for connlimit, wherever i took it it was written that way and did not work, but that maybe is caused by the way my whole wirewall rules are generated in a large shell-script distriibuted over 20 machines with if-blocks on hostname ___________________________________ there are basically *two* rule-blocks * max connections per 2 seconds and IP * max active connections per IP * the echo starts the rule-block * any other line starts with "iptables" * so anything wrapped in the mail not starting with echo/iptables belongs to the previous one RATE_CONTROL_MAX="150" CONNECTION_MAX="50" echo "DOS-PROTECTION: not more than $RATE_CONTROL_MAX new connections per two seconds and client-ip" iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --set iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --update --seconds 2 --hitcount $RATE_CONTROL_MAX -j DROP iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --update --seconds 2 --hitcount $RATE_CONTROL_MAX -m limit --limit 100/h -j LOG --log-prefix "Firewall Rate-Control: " iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --name udpflood --set iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --name udpflood --update --seconds 2 --hitcount $RATE_CONTROL_MAX -j DROP iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --name udpflood --update --seconds 2 --hitcount $RATE_CONTROL_MAX -m limit --limit 100/h -j LOG --log-prefix "Firewall Rate-Control: " echo "DOS-PROTECTION: not more than $CONNECTION_MAX parallel connections to port 80/443" iptables -A INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m multiport --destination-port 80,443 --syn -m connlimit --connlimit-above $CONNECTION_MAX -m limit --limit 100/h -j LOG --log-prefix "Firewall Slowloris: " iptables -A INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m multiport --destination-port 80,443 --syn -m connlimit --connlimit-above $CONNECTION_MAX -j DROP Am 19.09.2013 10:38, schrieb Jose Pablo Valcárcel Lázaro: > iptables v1.4.2: Unknown arg `(null)' > Try `iptables -h' or 'iptables --help' for more information. > > As you see he had problems when he tried to apply those rules, so I kept looking for some similar rules and I find > it when I saw a prevention amplification dns attack article here: http://blog.rootshell.ir/ > > Straight to iptables snippet code from that link I see these lines: > iptables -A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 48 --to 65535 > -m recent --set --name dnsanyquery --rsource > iptables -A INPUT -p udp -m udp --dport 53 -m string --hex-string "|0000ff0001|" --algo bm --from 48 --to 65535 > -m recent --rcheck --seconds 60 --hitcount 5 --name dnsanyquery --rsource -j DROP > > So finally from that rules I guess some one could modify it in order to block brute-force attacks not only with > mod_security rules :) : > > I haven´t tested it but if someone in a development environment could try and use it I would thankful to hear that > works!! |
From: Jose P. V. L. <pab...@gm...> - 2013-09-19 09:34:41
|
Thanks again Reindl :). Kind regards 2013/9/19 Reindl Harald <h.r...@th...> > i posted my iptables rules many times on several lists > > you need to adjust the variables and test it in your environment > but that is from a production infrastructure with weekly audits > > "iptables -A" may work with "iptables -I" for connlimit, wherever > i took it it was written that way and did not work, but that maybe > is caused by the way my whole wirewall rules are generated in a large > shell-script distriibuted over 20 machines with if-blocks on hostname > ___________________________________ > > there are basically *two* rule-blocks > > * max connections per 2 seconds and IP > * max active connections per IP > * the echo starts the rule-block > * any other line starts with "iptables" > * so anything wrapped in the mail not starting with echo/iptables belongs > to the previous one > > RATE_CONTROL_MAX="150" > CONNECTION_MAX="50" > echo "DOS-PROTECTION: not more than $RATE_CONTROL_MAX new connections per > two seconds and client-ip" > iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate > NEW -m recent --set > iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate > NEW -m recent --update --seconds 2 > --hitcount $RATE_CONTROL_MAX -j DROP > iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate > NEW -m recent --update --seconds 2 > --hitcount $RATE_CONTROL_MAX -m limit --limit 100/h -j LOG --log-prefix > "Firewall Rate-Control: " > iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate > NEW -m recent --name udpflood --set > iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate > NEW -m recent --name udpflood --update > --seconds 2 --hitcount $RATE_CONTROL_MAX -j DROP > iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate > NEW -m recent --name udpflood --update > --seconds 2 --hitcount $RATE_CONTROL_MAX -m limit --limit 100/h -j LOG > --log-prefix "Firewall Rate-Control: " > echo "DOS-PROTECTION: not more than $CONNECTION_MAX parallel connections > to port 80/443" > iptables -A INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m multiport > --destination-port 80,443 --syn -m connlimit > --connlimit-above $CONNECTION_MAX -m limit --limit 100/h -j LOG > --log-prefix "Firewall Slowloris: " > iptables -A INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m multiport > --destination-port 80,443 --syn -m connlimit > --connlimit-above $CONNECTION_MAX -j DROP > > Am 19.09.2013 10:38, schrieb Jose Pablo Valcárcel Lázaro: > > iptables v1.4.2: Unknown arg `(null)' > > Try `iptables -h' or 'iptables --help' for more information. > > > > As you see he had problems when he tried to apply those rules, so I kept > looking for some similar rules and I find > > it when I saw a prevention amplification dns attack article here: > http://blog.rootshell.ir/ > > > > Straight to iptables snippet code from that link I see these lines: > > iptables -A INPUT -p udp -m udp --dport 53 -m string --hex-string > "|0000ff0001|" --algo bm --from 48 --to 65535 > > -m recent --set --name dnsanyquery --rsource > > iptables -A INPUT -p udp -m udp --dport 53 -m string --hex-string > "|0000ff0001|" --algo bm --from 48 --to 65535 > > -m recent --rcheck --seconds 60 --hitcount 5 --name dnsanyquery > --rsource -j DROP > > > > So finally from that rules I guess some one could modify it in order to > block brute-force attacks not only with > > mod_security rules :) : > > > > I haven´t tested it but if someone in a development environment could > try and use it I would thankful to hear that > > works!! > > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, > SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |