Re: [mod-security-users] apache 2 mod_security iptables

[jin&hitman&Barracuda <jin...@gm...>]

Hi,

I'm not here to argue about iptables (or ipsets) and i did not say that
every and each address needs a iptables rule. I just said, a lot easier
than *iptables*. At the time ipsets introduced, there was some design flaw
like;

- ipsets did not support to load host (/32) address and networks into
single table. It needs to be load i as separate tables.
- under same conditions and same hardware, ipsets was need more time to
load/reload sets/tables than pf.
- When you need to use a file to load sample of addresses, you need to
specifically design that file because ipset doesn't support to load a list
of address from a simple text file. Each and every line should be start
with "add" key word and should continue with "<ipset_name>" and "ip
address". Also you have to add ipset create stanza on the very beginning of
that file. On the contrary, pf can load address from a simple file and yet
there is no need to add anything to that file or divide address list into
host address and network address.

I did not use ipsets after than rhel6, there must be some improvements but
i doubt that it will be useful as pf does.

On Sat, Dec 26, 2020 at 12:46 PM Reindl Harald <h.r...@th...>
wrote:

>
>
> Am 26.12.20 um 10:11 schrieb jin&hitman&Barracuda:
> > Hi,
> >
> > I've used failban for a bunch of smtp servers and it didn't go well. But
> > there is another project (crowdsec) and i guess that it is worth to
> > mention here. The project have many features which failban don't have. I
> > haven't try it yet but i will soon. May be you'd like to look at it.
> >
> > Crowdsec: A Fail2Ban alternative written in Go -
> > https://github.com/crowdsecurity/crowdsec
> > <https://github.com/crowdsecurity/crowdsec>
> >
> > By the way, while i was using failban, i had a script (which i wrote) to
> > add/remove ip adresses to openbsd firewall which is a lot easier than
> > iptables.
>
> you don't write iptables rules for each and every address
>
> https://ipset.netfilter.org/ is your friend
> https://ipset.netfilter.org/ipset.man.html
>
> * you have *one* iptables rule with the ipset match
> * one command adds or removes and ip to the set
> * it's dramatically faster -> hash-table
> * you can block millions of ips without performance drop
>
> > On Sat, Dec 26, 2020, 11:37 Jeffery Wilkins <djc...@gm...
> > <mailto:djc...@gm...>> wrote:
> >
> >     im looking for some people who host http servers (apache/nginx) and
> who
> >     are familiar with mod_security and iptables firewalls
> >     the setup that I am after is if an IP address hits my website and
> >     does a
> >     typical vuln scan my web server sends them back no response and they
> >     silently get added to an iptables ipset blacklist that lasts for 1
> week
> >     I already have mod_security (OWASP RULES) on my apache 2 server at
> >     (192.168.2.10) and a pfsense style firewall at (192.168.2.1)
> >     kind of like a web server honeypot if you will
> >     my current setup is already pretty powerful if you even send a simple
> >     TCP SYN packet to port 21,22 or even 23 you automatically get added
> to
> >     my routers firewall and dropped for 7 days for both in and outbound
> >     forgive me for asking alot but I really want to buckle down on these
> >     stupid automated vuln scanners and keep them off my network
> >     I have already looked into things like fail2ban but that only
> protects
> >     the webserver itself and does not integrate with my routers firewall
> at
> >     all protecting the network as a whole
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>


-- 
*There is no place like "/home"*
*Tuco (Benedicto Pacifico Juan Maria) Ramirez*