Re: [mod-security-users] apache 2 mod_security iptables
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] apache 2 mod_security iptables
|
From: Reindl H. <h.r...@th...> - 2020-12-26 17:05:45
|
Am 26.12.20 um 17:56 schrieb jin&hitman&Barracuda: > Sorry to html mails but there is no chance to replace. > > In the first mail 'djc...@gm... > <mailto:djc...@gm...>' mentioned that he/she needs for a > solution for pfsense. You didn't read it, did you ? (Please don't > answer, it's obvious) that's why "iptables" is part of the subject? "pfsense style firewall" - you emtioned the "style"? > I never wanted to be the guy who have to argue with a Linux fanatic > which thinks systemd is a salvation. Nope, never and ever and God my > witness. God, i beg you to don't push me that hard, don't let me be that > guy. disclaimer: this is a BSD guy and the subject is misleading: https://www.youtube.com/watch?v=o_AIw9bGogo > By the way, it must be a miracle to have a dc fw that has 51 record. > Glorious... idiot that's one out of 25 ipsets, the manual blocklist IPSET - OVERVIEW 970 BLOCKED_FEED_IPV4 hash:net 208 BLOCKED_DYNAMIC_PORTSCAN_IPV4 hash:ip timeout:45 161 PORTS_RESTRICTED bitmap:port 131 OUTBOUND_BLOCKED_PORTS bitmap:port 69 PORTSCAN_PORTS bitmap:port 63 HONEYPOT_PORTS bitmap:port 51 BLOCKED_IPV4 hash:net 18 INFRASTRUCTURE_IPV4 hash:net 18 HONEYPOT_IPS_IPV4 hash:net 13 IANA_RESERVED_IPV4 hash:net 13 ADMIN_CLIENTS_IPV4 hash:net 11 OUTBOUND_BLOCKED_SRC_IPV4 hash:net 11 LAN_VPN_FORWARDING_IPV4 hash:net 8 EXCLUDES_IPV4 hash:net 7 PORTS_MAIL bitmap:port 5 RESTRICTED_IPV4 hash:net 5 IPERF_IPV4 hash:net 4 RBL_SYNC_IPV4 hash:net 4 JABBER_IPV4 hash:net 4 BAYES_SYNC_IPV4 hash:net 3 BLOCKED_MERGED_IPV4 list:set 2 DNS_PORTS bitmap:port 1 BLOCKED_DYNAMIC_MAIL_IPV4 hash:ip timeout:60 ----------------------- RULES ----------------------- 264 IPV4 total 206 IPV4 filter 32 IPV4 mangle 18 IPV4 raw 8 IPV4 nat ----------------------- CHAINS ----------------------- 65 IPV4 total 53 IPV4 filter 9 IPV4 mangle 2 IPV4 raw 1 IPV4 nat > I sould have to thank you because you entertained me well. All of them > are just a joke but you know that you started this. as said: you are an idiot > On Sat, Dec 26, 2020, 18:20 Reindl Harald <h.r...@th... > <mailto:h.r...@th...>> wrote: > > firsat: may i ask you why you respond with html to plaintext mails? > > Am 26.12.20 um 16:00 schrieb jin&hitman&Barracuda: > > Hi, > > > > I'm not here to argue about iptables (or ipsets) and i did not > say that > > every and each address needs a iptables rule. I just said, a lot > easier > > than *iptables*. At the time ipsets introduced, there was some > design > > flaw like; > > > > - ipsets did not support to load host (/32) address and networks > into > > single table. It needs to be load i as separate tables > > not true! "Type: hash:net" has no problem with /32 > > if you use "hash:ip" but want to mix: a fool with a tool is still a fool > > -------------------------- > > real-world ipset from a datacenter firewall > > Name: BLOCKED_IPV4 > Type: hash:net > Header: family inet hashsize 1024 maxelem 512 > Size in memory: 3520 > Number of entries: 51 > > Members: > 3.112.171.163 > 18.130.64.226 > 31.28.163.0/24 <http://31.28.163.0/24> > 31.28.170.0/24 <http://31.28.170.0/24> > > -------------------------- > > > - under same conditions and same hardware, ipsets was need more > time to > > load/reload sets/tables than pf > > how often do you reboot? > > > - When you need to use a file to load sample of addresses, you > need to > > specifically design that file because ipset doesn't support to > load a > > list of address from a simple text file. Each and every line > should be > > start with "add" key word and should continue with "<ipset_name>" > and > > "ip address". Also you have to add ipset create stanza on the very > > beginning of that file. On the contrary, pf can load address from a > > simple file and yet there is no need to add anything to that file or > > divide address list into host address and network address. > > hell, that's what save/restore is for > > a) ipset -file /etc/sysconfig/ipset restore > one time at reboot before restore > iptables/iptables-nft > b) ipset -file /etc/sysconfig/ipset save > each time you made changes which should > survive a reboot > > and when you want to load from a textfile you just loop trough the > textfile and so "ipset add IPSET_NAME VALUE" which is a 1-liner if > you want > > > I did not use ipsets after than rhel6, there must be some > improvements > > RHEL6 is a long time ago > AFAIK you needed redirection instead -file to begin with > > > but i doubt that it will be useful as pf does. > > jesus christ...... > > and even if PF has some advantages nobody will switch to openbsd > because > of that and if it's only because there is no systemd, initscripts > are crap > > > On Sat, Dec 26, 2020 at 12:46 PM Reindl Harald > <h.r...@th... <mailto:h.r...@th...> > > <mailto:h.r...@th... <mailto:h.r...@th...>>> > wrote: > > > > > > > > Am 26.12.20 um 10:11 schrieb jin&hitman&Barracuda: > > > Hi, > > > > > > I've used failban for a bunch of smtp servers and it didn't go > > well. But > > > there is another project (crowdsec) and i guess that it is > worth to > > > mention here. The project have many features which failban > don't > > have. I > > > haven't try it yet but i will soon. May be you'd like to > look at it. > > > > > > Crowdsec: A Fail2Ban alternative written in Go - > > > https://github.com/crowdsecurity/crowdsec > <https://github.com/crowdsecurity/crowdsec> > > <https://github.com/crowdsecurity/crowdsec > <https://github.com/crowdsecurity/crowdsec>> > > > <https://github.com/crowdsecurity/crowdsec > <https://github.com/crowdsecurity/crowdsec> > > <https://github.com/crowdsecurity/crowdsec > <https://github.com/crowdsecurity/crowdsec>>> > > > > > > By the way, while i was using failban, i had a script (which i > > wrote) to > > > add/remove ip adresses to openbsd firewall which is a lot > easier > > than > > > iptables. > > > > you don't write iptables rules for each and every address > > > > https://ipset.netfilter.org/ <https://ipset.netfilter.org/> > <https://ipset.netfilter.org/ <https://ipset.netfilter.org/>> is your > > friend > > https://ipset.netfilter.org/ipset.man.html > <https://ipset.netfilter.org/ipset.man.html> > > <https://ipset.netfilter.org/ipset.man.html > <https://ipset.netfilter.org/ipset.man.html>> > > > > * you have *one* iptables rule with the ipset match > > * one command adds or removes and ip to the set > > * it's dramatically faster -> hash-table > > * you can block millions of ips without performance drop > > > > > On Sat, Dec 26, 2020, 11:37 Jeffery Wilkins > > <djc...@gm... <mailto:djc...@gm...> > <mailto:djc...@gm... <mailto:djc...@gm...>> > > > <mailto:djc...@gm... > <mailto:djc...@gm...> > > <mailto:djc...@gm... > <mailto:djc...@gm...>>>> wrote: > > > > > > im looking for some people who host http servers > > (apache/nginx) and who > > > are familiar with mod_security and iptables firewalls > > > the setup that I am after is if an IP address hits my > website and > > > does a > > > typical vuln scan my web server sends them back no > response > > and they > > > silently get added to an iptables ipset blacklist that > lasts > > for 1 week > > > I already have mod_security (OWASP RULES) on my apache 2 > > server at > > > (192.168.2.10) and a pfsense style firewall at > (192.168.2.1) > > > kind of like a web server honeypot if you will > > > my current setup is already pretty powerful if you > even send > > a simple > > > TCP SYN packet to port 21,22 or even 23 you > automatically get > > added to > > > my routers firewall and dropped for 7 days for both in and > > outbound > > > forgive me for asking alot but I really want to buckle > down > > on these > > > stupid automated vuln scanners and keep them off my > network > > > I have already looked into things like fail2ban but > that only > > protects > > > the webserver itself and does not integrate with my > routers > > firewall at > > > all protecting the network as a whole > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > <https://lists.sourceforge.net/lists/listinfo/mod-security-users> > > > <https://lists.sourceforge.net/lists/listinfo/mod-security-users > <https://lists.sourceforge.net/lists/listinfo/mod-security-users>> > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > <http://www.modsecurity.org/projects/commercial/rules/> > > <http://www.modsecurity.org/projects/commercial/rules/ > <http://www.modsecurity.org/projects/commercial/rules/>> > > http://www.modsecurity.org/projects/commercial/support/ > <http://www.modsecurity.org/projects/commercial/support/> > > <http://www.modsecurity.org/projects/commercial/support/ > <http://www.modsecurity.org/projects/commercial/support/>> |
