Re: [mod-security-users] apache 2 mod_security iptables
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] apache 2 mod_security iptables
|
From: Reindl H. <h.r...@th...> - 2020-12-26 15:16:47
|
firsat: may i ask you why you respond with html to plaintext mails?
Am 26.12.20 um 16:00 schrieb jin&hitman&Barracuda:
> Hi,
>
> I'm not here to argue about iptables (or ipsets) and i did not say that
> every and each address needs a iptables rule. I just said, a lot easier
> than *iptables*. At the time ipsets introduced, there was some design
> flaw like;
>
> - ipsets did not support to load host (/32) address and networks into
> single table. It needs to be load i as separate tables
not true! "Type: hash:net" has no problem with /32
if you use "hash:ip" but want to mix: a fool with a tool is still a fool
--------------------------
real-world ipset from a datacenter firewall
Name: BLOCKED_IPV4
Type: hash:net
Header: family inet hashsize 1024 maxelem 512
Size in memory: 3520
Number of entries: 51
Members:
3.112.171.163
18.130.64.226
31.28.163.0/24
31.28.170.0/24
--------------------------
> - under same conditions and same hardware, ipsets was need more time to
> load/reload sets/tables than pf
how often do you reboot?
> - When you need to use a file to load sample of addresses, you need to
> specifically design that file because ipset doesn't support to load a
> list of address from a simple text file. Each and every line should be
> start with "add" key word and should continue with "<ipset_name>" and
> "ip address". Also you have to add ipset create stanza on the very
> beginning of that file. On the contrary, pf can load address from a
> simple file and yet there is no need to add anything to that file or
> divide address list into host address and network address.
hell, that's what save/restore is for
a) ipset -file /etc/sysconfig/ipset restore
one time at reboot before restore
iptables/iptables-nft
b) ipset -file /etc/sysconfig/ipset save
each time you made changes which should
survive a reboot
and when you want to load from a textfile you just loop trough the
textfile and so "ipset add IPSET_NAME VALUE" which is a 1-liner if you want
> I did not use ipsets after than rhel6, there must be some improvements
RHEL6 is a long time ago
AFAIK you needed redirection instead -file to begin with
> but i doubt that it will be useful as pf does.
jesus christ......
and even if PF has some advantages nobody will switch to openbsd because
of that and if it's only because there is no systemd, initscripts are crap
> On Sat, Dec 26, 2020 at 12:46 PM Reindl Harald <h.r...@th...
> <mailto:h.r...@th...>> wrote:
>
>
>
> Am 26.12.20 um 10:11 schrieb jin&hitman&Barracuda:
> > Hi,
> >
> > I've used failban for a bunch of smtp servers and it didn't go
> well. But
> > there is another project (crowdsec) and i guess that it is worth to
> > mention here. The project have many features which failban don't
> have. I
> > haven't try it yet but i will soon. May be you'd like to look at it.
> >
> > Crowdsec: A Fail2Ban alternative written in Go -
> > https://github.com/crowdsecurity/crowdsec
> <https://github.com/crowdsecurity/crowdsec>
> > <https://github.com/crowdsecurity/crowdsec
> <https://github.com/crowdsecurity/crowdsec>>
> >
> > By the way, while i was using failban, i had a script (which i
> wrote) to
> > add/remove ip adresses to openbsd firewall which is a lot easier
> than
> > iptables.
>
> you don't write iptables rules for each and every address
>
> https://ipset.netfilter.org/ <https://ipset.netfilter.org/> is your
> friend
> https://ipset.netfilter.org/ipset.man.html
> <https://ipset.netfilter.org/ipset.man.html>
>
> * you have *one* iptables rule with the ipset match
> * one command adds or removes and ip to the set
> * it's dramatically faster -> hash-table
> * you can block millions of ips without performance drop
>
> > On Sat, Dec 26, 2020, 11:37 Jeffery Wilkins
> <djc...@gm... <mailto:djc...@gm...>
> > <mailto:djc...@gm...
> <mailto:djc...@gm...>>> wrote:
> >
> > im looking for some people who host http servers
> (apache/nginx) and who
> > are familiar with mod_security and iptables firewalls
> > the setup that I am after is if an IP address hits my website and
> > does a
> > typical vuln scan my web server sends them back no response
> and they
> > silently get added to an iptables ipset blacklist that lasts
> for 1 week
> > I already have mod_security (OWASP RULES) on my apache 2
> server at
> > (192.168.2.10) and a pfsense style firewall at (192.168.2.1)
> > kind of like a web server honeypot if you will
> > my current setup is already pretty powerful if you even send
> a simple
> > TCP SYN packet to port 21,22 or even 23 you automatically get
> added to
> > my routers firewall and dropped for 7 days for both in and
> outbound
> > forgive me for asking alot but I really want to buckle down
> on these
> > stupid automated vuln scanners and keep them off my network
> > I have already looked into things like fail2ban but that only
> protects
> > the webserver itself and does not integrate with my routers
> firewall at
> > all protecting the network as a whole
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> <mailto:mod...@li...>
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> <https://lists.sourceforge.net/lists/listinfo/mod-security-users>
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> <http://www.modsecurity.org/projects/commercial/rules/>
> http://www.modsecurity.org/projects/commercial/support/
> <http://www.modsecurity.org/projects/commercial/support/>
|
