Re: [mod-security-users] ModSec / CRS: Use of GeoIP & ASN information
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] ModSec / CRS: Use of GeoIP & ASN information
|
From: Christian F. <chr...@ne...> - 2022-10-19 07:25:25
|
Hey Joel, On Wed, Oct 19, 2022 at 11:50:45AM +1030, Joel Williams wrote: > Thanks Christian! I enjoyed the article. Thank you very much. One gets very little feedback for technical blog posts. So this is very much appreciated. > I agree that ASN is underrated - I get a lot of scans from well-known and > generally reputable cloud providers which operate in multiple countries, and > blocking these providers seems like a much safer way to avoid false > positives than doing it by country. However there is still a risk that > people are using personal VPSes to run proxies or have good reasons to use > services like Tor. While this is probably not a very significant proportion > of people I’m reluctant to block access to customer sites outright with no > recourse for these users. On the other hand, blocking access by these ASNs > to specific resources like the WordPress wp-login.php page would probably be > OK. I do not block by ASN and I do not recommend doing it. Yet I skip some of them when doing false positive analysis. Meaning, it's OK to use DigitalOcean as your personal VPN provider, but when you hit a false positive on my website, chances are I won't react to it without a call. Maybe I'll follow up with a blog post on mean anomaly scores per ASN on the netnea website. It's staggering how 2-3 ASNs are really topping. Mean incoming anomaly score across the entire log: 0.13 US ASN 53667: PONYNET: Mean anomaly score of 3! What is also interesting - but bumps into the same TOR / VPN problem - is to check User-Agents against ASNs. So you're pretending to be a Mozilla (=any Browser), yet you live on a server ASN ... > One idea I’m toying with is creating an interstitial page similar to > Cloudflare’s “Checking your browser..” page. For ASNs which are problematic > it would be a bit safer to force someone to perform a hCaptcha or something > check before they can get through to the intended site and set a cookie. I > think this might be possible but a little bit difficult to create entirely > using mod_security though, so I’m thinking about writing a new (and > relatively simple) Apache module. I’d love to hear if someone has already > done this! Ah, the sweet promises of anti-automation. :) I'm sure this has been done, but I have not seen a public description how to pull it off with open source tools. Yet I do not think it would be very complicated with ModSec. Pseudo-Code: * ModSec Rule: if suspicious ASN and no cookie: redirect to Captcha * Captcha Page: if successful captcha: set cookie Suspicious ASNs in separate file (-> @pmFromFile). I guess that's all. Now that I think about it, it sounds as if it would make for a lovely blog post. This presentation here as more ideas that could be harvested and implemented in ModSecurity: https://www.youtube.com/watch?v=XKkyvO2rQ-E (Don't let the title fool you, a lot of it is about anti-automation. And it's a great talk btw) All together this could make an interesting anti-automation CRS plugin. Best! Christian > > Joel > > > On 19 Oct 2022, at 12:04 am, Christian Folini > > <chr...@ne...> wrote: > > > > Hi there, > > > > During the years, I have found the use of GeoIP (& ASN) information in > > #ModSecurity / @CoreRuleSet very useful. Yet very few people do this for > > GeoIP and practically nobody for ASN. > > > > It really helps to weed out false positives or defend in case of certain > > persistent attacks. > > > > Since good documentation on the subject is scare, here is how to get this > > into your setup: > > > > https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also > > covered in my 2nd webcast last week: > > https://www.youtube.com/watch?v=OBVwdqEFmX0) > > > > I have also covered this in my 2nd ModSec / CRS webcast last week (plus > > some additional interesting stuff): > > https://www.youtube.com/watch?v=OBVwdqEFmX0 > > > > Best, > > > > Christian > > > > > > -- Ultimately, motivation gets us started, but discipline and habit are > > what enable us to finish. -- Matthew Helmke > > > > > > _______________________________________________ mod-security-users mailing > > list mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial > > ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ mod-security-users mailing > list mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial > ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
