Thread: [mod-security-users] Is possible to block mac addresses with modsec?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Sergio <se...@gm...> - 2010-09-18 04:29:39
|
Hi all, sorry if this has been asked before. Is there a rule or command that could be used to check and block MAC addresses that could be in a black list? Regards, -- Sergio Cabrera |
|
From: Ryan B. <RBa...@tr...> - 2010-09-18 12:53:54
|
Do you mean IP addresses? MACs are only available on LANs. If you want to check a remote blacklist and block IPs then use the @rbl operator. Check out this recent blog post -- http://blog.modsecurity.org/2010/09/advanced-topic-of-the-week-real-time-blacklist-lookups.html Sent from my iPhone On Sep 18, 2010, at 12:32 AM, Sergio <se...@gm...> wrote: > > Hi all, > sorry if this has been asked before. > > Is there a rule or command that could be used to check and block MAC addresses that could be in a black list? > > Regards, > > -- > Sergio Cabrera > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html |
|
From: Sergio <se...@gm...> - 2010-09-18 15:13:56
|
Thank you Ryan, actually I already have my ownn @rbl, but I was looking for something that could block mac addresses because spoofed IPs always uses the same mac. Seen an excerpt of the firewall log, the SRC IP changes but the MAC is the same. The DST IP has been masked for security reasons but the real one is not a LAN IP: Sep 18 03:19:29 server: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=aa:00:ad:5f:07:01:00:1d:71:99:63:40:08:00 SRC=209.212.145.25 DST=192.168.0.26 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=256 DF PROTO=TCP SPT=12200 DPT=27977 WINDOW=8192 RES=0x00 SYN URGP=0 Sep 18 03:31:56 server: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=aa:00:ad:5f:07:01:00:1d:71:99:63:40:08:00 SRC=109.162.130.71 DST=192.168.0.26 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=18792 DF PROTO=TCP SPT=3343 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0 Sep 18 03:38:58 server: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=aa:00:ad:5f:07:01:00:1d:71:99:63:40:08:00 SRC=60.2.63.226 DST=192.168.0.27 LEN=435 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=5065 DPT=5060 LEN=415 Sep 18 03:47:50 server: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=aa:00:ad:5f:07:01:00:1d:71:99:63:40:08:00 SRC=219.149.194.245 DST=192.168.0.26 LEN=404 TOS=0x00 PREC=0x00 TTL=31 ID=17433 PROTO=UDP SPT=1060 DPT=1434 LEN=384 Could this be done? Best Regards, -- Sergio Cabrera On Sat, Sep 18, 2010 at 6:53 AM, Ryan Barnett <RBa...@tr...>wrote: > Do you mean IP addresses? MACs are only available on LANs. If you want to > check a remote blacklist and block IPs then use the @rbl operator. Check out > this recent blog post -- > > http://blog.modsecurity.org/2010/09/advanced-topic-of-the-week-real-time-blacklist-lookups.html > > > Sent from my iPhone > > On Sep 18, 2010, at 12:32 AM, Sergio <se...@gm...> wrote: > > > > > Hi all, > > sorry if this has been asked before. > > > > Is there a rule or command that could be used to check and block MAC > addresses that could be in a black list? > > > > Regards, > > > > -- > > Sergio Cabrera > > > > > ------------------------------------------------------------------------------ > > Start uncovering the many advantages of virtual appliances > > and start using them to simplify application deployment and > > accelerate your shift to cloud computing. > > http://p.sf.net/sfu/novell-sfdev2dev > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Appliances, Rule Sets and Support: > > http://www.modsecurity.org/breach/index.html > > |
|
From: Michael S. <mi...@go...> - 2010-09-18 16:05:06
|
You can't tell if an ip is spoofed from its mac except on your local segment. Because of that, you don't want to block the source mac address unless the attack is from a system on your local network segment. If you block hosts outside your local segment by mac address you'll block your upstream router because all of those hosts will have your gateways mac address. That's because MAC addresses work on your local physical network segment, they are not addresses like IP addresses are: they don't route. You can't "see" the actual mac address of anything outside your physical segment. The mac address of anything outside your segment will be your gateway (router, firewall, etc.). The mac is used to get the packet to the right physical interface on your segment. Once its onto the next segment that changes to reflect that segment and so on. Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 SANS Advisory Board Member Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com -----Original Message----- From: Sergio <se...@gm...> Date: Sat, 18 Sep 2010 09:13:49 To: Ryan Barnett<RBa...@tr...> Cc: mod...@li...<mod...@li...> Subject: Re: [mod-security-users] Is possible to block mac addresses with modsec? ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev |
|
From: Sergio <se...@gm...> - 2010-09-18 17:09:01
|
Thanks a lot Mike for your kind explanation. Best Regards, Sergio Cabrera On Sat, Sep 18, 2010 at 10:04 AM, Michael Shinn <mi...@go...> wrote: > You can't tell if an ip is spoofed from its mac except on your local > segment. Because of that, you don't want to block the source mac address > unless the attack is from a system on your local network segment. If you > block hosts outside your local segment by mac address you'll block your > upstream router because all of those hosts will have your gateways mac > address. > > That's because MAC addresses work on your local physical network segment, > they are not addresses like IP addresses are: they don't route. You can't > "see" the actual mac address of anything outside your physical segment. The > mac address of anything outside your segment will be your gateway (router, > firewall, etc.). The mac is used to get the packet to the right physical > interface on your segment. Once its onto the next segment that changes to > reflect that segment and so on. > > Michael T. Shinn KeyID:0xDAE2EC86 > Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 > SANS Advisory Board Member > > Got Root? http://www.gotroot.com > modsecurity rules: http://www.modsecurityrules.com > Troubleshooting Firewalls: http://troubleshootingfirewalls.com > > -----Original Message----- > From: Sergio <se...@gm...> > Date: Sat, 18 Sep 2010 09:13:49 > To: Ryan Barnett<RBa...@tr...> > Cc: mod...@li...< > mod...@li...> > Subject: Re: [mod-security-users] Is possible to block mac addresses with > modsec? > > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > |
|
From: Michael S. <mi...@go...> - 2010-09-19 01:18:32
|
My pleasure, didn't want you to shun your router! :-) On Sat, 2010-09-18 at 11:08 -0600, Sergio wrote: > Thanks a lot Mike for your kind explanation. > > Best Regards, > > Sergio Cabrera > > On Sat, Sep 18, 2010 at 10:04 AM, Michael Shinn <mi...@go...> > wrote: > You can't tell if an ip is spoofed from its mac except on your > local segment. Because of that, you don't want to block the > source mac address unless the attack is from a system on your > local network segment. If you block hosts outside your local > segment by mac address you'll block your upstream router > because all of those hosts will have your gateways mac > address. > > That's because MAC addresses work on your local physical > network segment, they are not addresses like IP addresses are: > they don't route. You can't "see" the actual mac address of > anything outside your physical segment. The mac address of > anything outside your segment will be your gateway (router, > firewall, etc.). The mac is used to get the packet to the > right physical interface on your segment. Once its onto the > next segment that changes to reflect that segment and so on. > > Michael T. Shinn > KeyID:0xDAE2EC86 > Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 > EC86 > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 > SANS Advisory Board Member > > Got Root? http://www.gotroot.com > modsecurity rules: http://www.modsecurityrules.com > Troubleshooting Firewalls: > http://troubleshootingfirewalls.com > > > -----Original Message----- > From: Sergio <se...@gm...> > Date: Sat, 18 Sep 2010 09:13:49 > To: Ryan Barnett<RBa...@tr...> > Cc: > mod...@li...<mod...@li...> > Subject: Re: [mod-security-users] Is possible to block mac > addresses with > modsec? > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X