Re: [mod-security-users] apache 2 mod_security iptables
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] apache 2 mod_security iptables
|
From: jin&hitman&Barracuda <jin...@gm...> - 2020-12-26 16:57:12
|
Sorry to html mails but there is no chance to replace. In the first mail 'djc...@gm...' mentioned that he/she needs for a solution for pfsense. You didn't read it, did you ? (Please don't answer, it's obvious) I never wanted to be the guy who have to argue with a Linux fanatic which thinks systemd is a salvation. Nope, never and ever and God my witness. God, i beg you to don't push me that hard, don't let me be that guy. By the way, it must be a miracle to have a dc fw that has 51 record. Glorious... I sould have to thank you because you entertained me well. All of them are just a joke but you know that you started this. djc...@gm..., i'm really sorry to bother you because honestly i just wanted to share something that could help you. Usually, i never poke or push people to argue with me. On Sat, Dec 26, 2020, 18:20 Reindl Harald <h.r...@th...> wrote: > firsat: may i ask you why you respond with html to plaintext mails? > > Am 26.12.20 um 16:00 schrieb jin&hitman&Barracuda: > > Hi, > > > > I'm not here to argue about iptables (or ipsets) and i did not say that > > every and each address needs a iptables rule. I just said, a lot easier > > than *iptables*. At the time ipsets introduced, there was some design > > flaw like; > > > > - ipsets did not support to load host (/32) address and networks into > > single table. It needs to be load i as separate tables > > not true! "Type: hash:net" has no problem with /32 > > if you use "hash:ip" but want to mix: a fool with a tool is still a fool > > -------------------------- > > real-world ipset from a datacenter firewall > > Name: BLOCKED_IPV4 > Type: hash:net > Header: family inet hashsize 1024 maxelem 512 > Size in memory: 3520 > Number of entries: 51 > > Members: > 3.112.171.163 > 18.130.64.226 > 31.28.163.0/24 > 31.28.170.0/24 > > -------------------------- > > > - under same conditions and same hardware, ipsets was need more time to > > load/reload sets/tables than pf > > how often do you reboot? > > > - When you need to use a file to load sample of addresses, you need to > > specifically design that file because ipset doesn't support to load a > > list of address from a simple text file. Each and every line should be > > start with "add" key word and should continue with "<ipset_name>" and > > "ip address". Also you have to add ipset create stanza on the very > > beginning of that file. On the contrary, pf can load address from a > > simple file and yet there is no need to add anything to that file or > > divide address list into host address and network address. > > hell, that's what save/restore is for > > a) ipset -file /etc/sysconfig/ipset restore > one time at reboot before restore > iptables/iptables-nft > b) ipset -file /etc/sysconfig/ipset save > each time you made changes which should > survive a reboot > > and when you want to load from a textfile you just loop trough the > textfile and so "ipset add IPSET_NAME VALUE" which is a 1-liner if you want > > > I did not use ipsets after than rhel6, there must be some improvements > > RHEL6 is a long time ago > AFAIK you needed redirection instead -file to begin with > > > but i doubt that it will be useful as pf does. > > jesus christ...... > > and even if PF has some advantages nobody will switch to openbsd because > of that and if it's only because there is no systemd, initscripts are crap > > > On Sat, Dec 26, 2020 at 12:46 PM Reindl Harald <h.r...@th... > > <mailto:h.r...@th...>> wrote: > > > > > > > > Am 26.12.20 um 10:11 schrieb jin&hitman&Barracuda: > > > Hi, > > > > > > I've used failban for a bunch of smtp servers and it didn't go > > well. But > > > there is another project (crowdsec) and i guess that it is worth > to > > > mention here. The project have many features which failban don't > > have. I > > > haven't try it yet but i will soon. May be you'd like to look at > it. > > > > > > Crowdsec: A Fail2Ban alternative written in Go - > > > https://github.com/crowdsecurity/crowdsec > > <https://github.com/crowdsecurity/crowdsec> > > > <https://github.com/crowdsecurity/crowdsec > > <https://github.com/crowdsecurity/crowdsec>> > > > > > > By the way, while i was using failban, i had a script (which i > > wrote) to > > > add/remove ip adresses to openbsd firewall which is a lot easier > > than > > > iptables. > > > > you don't write iptables rules for each and every address > > > > https://ipset.netfilter.org/ <https://ipset.netfilter.org/> is your > > friend > > https://ipset.netfilter.org/ipset.man.html > > <https://ipset.netfilter.org/ipset.man.html> > > > > * you have *one* iptables rule with the ipset match > > * one command adds or removes and ip to the set > > * it's dramatically faster -> hash-table > > * you can block millions of ips without performance drop > > > > > On Sat, Dec 26, 2020, 11:37 Jeffery Wilkins > > <djc...@gm... <mailto:djc...@gm...> > > > <mailto:djc...@gm... > > <mailto:djc...@gm...>>> wrote: > > > > > > im looking for some people who host http servers > > (apache/nginx) and who > > > are familiar with mod_security and iptables firewalls > > > the setup that I am after is if an IP address hits my website > and > > > does a > > > typical vuln scan my web server sends them back no response > > and they > > > silently get added to an iptables ipset blacklist that lasts > > for 1 week > > > I already have mod_security (OWASP RULES) on my apache 2 > > server at > > > (192.168.2.10) and a pfsense style firewall at (192.168.2.1) > > > kind of like a web server honeypot if you will > > > my current setup is already pretty powerful if you even send > > a simple > > > TCP SYN packet to port 21,22 or even 23 you automatically get > > added to > > > my routers firewall and dropped for 7 days for both in and > > outbound > > > forgive me for asking alot but I really want to buckle down > > on these > > > stupid automated vuln scanners and keep them off my network > > > I have already looked into things like fail2ban but that only > > protects > > > the webserver itself and does not integrate with my routers > > firewall at > > > all protecting the network as a whole > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > <mailto:mod...@li...> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > <https://lists.sourceforge.net/lists/listinfo/mod-security-users> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > <http://www.modsecurity.org/projects/commercial/rules/> > > http://www.modsecurity.org/projects/commercial/support/ > > <http://www.modsecurity.org/projects/commercial/support/> > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
