Menu
▾
▴
mod-security-users
|
From: Christian F. <chr...@ne...> - 2022-10-18 13:34:38
|
Hi there, During the years, I have found the use of GeoIP (& ASN) information in #ModSecurity / @CoreRuleSet very useful. Yet very few people do this for GeoIP and practically nobody for ASN. It really helps to weed out false positives or defend in case of certain persistent attacks. Since good documentation on the subject is scare, here is how to get this into your setup: https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also covered in my 2nd webcast last week: https://www.youtube.com/watch?v=OBVwdqEFmX0) I have also covered this in my 2nd ModSec / CRS webcast last week (plus some additional interesting stuff): https://www.youtube.com/watch?v=OBVwdqEFmX0 Best, Christian -- Ultimately, motivation gets us started, but discipline and habit are what enable us to finish. -- Matthew Helmke |
|
From: Joel W. <jo...@jo...> - 2022-10-19 01:38:02
|
Thanks Christian! I enjoyed the article. I agree that ASN is underrated - I get a lot of scans from well-known and generally reputable cloud providers which operate in multiple countries, and blocking these providers seems like a much safer way to avoid false positives than doing it by country. However there is still a risk that people are using personal VPSes to run proxies or have good reasons to use services like Tor. While this is probably not a very significant proportion of people I’m reluctant to block access to customer sites outright with no recourse for these users. On the other hand, blocking access by these ASNs to specific resources like the WordPress wp-login.php page would probably be OK. One idea I’m toying with is creating an interstitial page similar to Cloudflare’s “Checking your browser..” page. For ASNs which are problematic it would be a bit safer to force someone to perform a hCaptcha or something check before they can get through to the intended site and set a cookie. I think this might be possible but a little bit difficult to create entirely using mod_security though, so I’m thinking about writing a new (and relatively simple) Apache module. I’d love to hear if someone has already done this! Joel > On 19 Oct 2022, at 12:04 am, Christian Folini <chr...@ne...> wrote: > > Hi there, > > During the years, I have found the use of GeoIP (& ASN) information in > #ModSecurity / @CoreRuleSet very useful. Yet very few people do > this for GeoIP and practically nobody for ASN. > > It really helps to weed out false positives or defend in case of certain > persistent attacks. > > Since good documentation on the subject is scare, here is how to get this > into your setup: > > https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also covered in my 2nd webcast last week: https://www.youtube.com/watch?v=OBVwdqEFmX0) > > I have also covered this in my 2nd ModSec / CRS webcast last week (plus some > additional interesting stuff): > https://www.youtube.com/watch?v=OBVwdqEFmX0 > > Best, > > Christian > > > -- > Ultimately, motivation gets us started, > but discipline and habit are what enable us to finish. > -- Matthew Helmke > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2022-10-19 07:25:25
|
Hey Joel, On Wed, Oct 19, 2022 at 11:50:45AM +1030, Joel Williams wrote: > Thanks Christian! I enjoyed the article. Thank you very much. One gets very little feedback for technical blog posts. So this is very much appreciated. > I agree that ASN is underrated - I get a lot of scans from well-known and > generally reputable cloud providers which operate in multiple countries, and > blocking these providers seems like a much safer way to avoid false > positives than doing it by country. However there is still a risk that > people are using personal VPSes to run proxies or have good reasons to use > services like Tor. While this is probably not a very significant proportion > of people I’m reluctant to block access to customer sites outright with no > recourse for these users. On the other hand, blocking access by these ASNs > to specific resources like the WordPress wp-login.php page would probably be > OK. I do not block by ASN and I do not recommend doing it. Yet I skip some of them when doing false positive analysis. Meaning, it's OK to use DigitalOcean as your personal VPN provider, but when you hit a false positive on my website, chances are I won't react to it without a call. Maybe I'll follow up with a blog post on mean anomaly scores per ASN on the netnea website. It's staggering how 2-3 ASNs are really topping. Mean incoming anomaly score across the entire log: 0.13 US ASN 53667: PONYNET: Mean anomaly score of 3! What is also interesting - but bumps into the same TOR / VPN problem - is to check User-Agents against ASNs. So you're pretending to be a Mozilla (=any Browser), yet you live on a server ASN ... > One idea I’m toying with is creating an interstitial page similar to > Cloudflare’s “Checking your browser..” page. For ASNs which are problematic > it would be a bit safer to force someone to perform a hCaptcha or something > check before they can get through to the intended site and set a cookie. I > think this might be possible but a little bit difficult to create entirely > using mod_security though, so I’m thinking about writing a new (and > relatively simple) Apache module. I’d love to hear if someone has already > done this! Ah, the sweet promises of anti-automation. :) I'm sure this has been done, but I have not seen a public description how to pull it off with open source tools. Yet I do not think it would be very complicated with ModSec. Pseudo-Code: * ModSec Rule: if suspicious ASN and no cookie: redirect to Captcha * Captcha Page: if successful captcha: set cookie Suspicious ASNs in separate file (-> @pmFromFile). I guess that's all. Now that I think about it, it sounds as if it would make for a lovely blog post. This presentation here as more ideas that could be harvested and implemented in ModSecurity: https://www.youtube.com/watch?v=XKkyvO2rQ-E (Don't let the title fool you, a lot of it is about anti-automation. And it's a great talk btw) All together this could make an interesting anti-automation CRS plugin. Best! Christian > > Joel > > > On 19 Oct 2022, at 12:04 am, Christian Folini > > <chr...@ne...> wrote: > > > > Hi there, > > > > During the years, I have found the use of GeoIP (& ASN) information in > > #ModSecurity / @CoreRuleSet very useful. Yet very few people do this for > > GeoIP and practically nobody for ASN. > > > > It really helps to weed out false positives or defend in case of certain > > persistent attacks. > > > > Since good documentation on the subject is scare, here is how to get this > > into your setup: > > > > https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also > > covered in my 2nd webcast last week: > > https://www.youtube.com/watch?v=OBVwdqEFmX0) > > > > I have also covered this in my 2nd ModSec / CRS webcast last week (plus > > some additional interesting stuff): > > https://www.youtube.com/watch?v=OBVwdqEFmX0 > > > > Best, > > > > Christian > > > > > > -- Ultimately, motivation gets us started, but discipline and habit are > > what enable us to finish. -- Matthew Helmke > > > > > > _______________________________________________ mod-security-users mailing > > list mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial > > ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ mod-security-users mailing > list mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial > ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: <az...@po...> - 2022-10-20 13:45:20
|
Hi! > One idea I’m toying with is creating an interstitial page similar to > Cloudflare’s “Checking your browser..” page. For ASNs which are > problematic it would be a bit safer to force someone to perform a > hCaptcha or something check before they can get through to the > intended site and set a cookie. I think this might be possible but a > little bit difficult to create entirely using mod_security though, > so I’m thinking about writing a new (and relatively simple) Apache > module. I’d love to hear if someone has already done this! My ModSecurity reCAPTCHA library may help you with this, check it out (needs Lua support in ModSec): https://github.com/azurit/modsecurity-recaptcha azurit > > Joel > >> On 19 Oct 2022, at 12:04 am, Christian Folini >> <chr...@ne...> wrote: >> >> Hi there, >> >> During the years, I have found the use of GeoIP (& ASN) information in >> #ModSecurity / @CoreRuleSet very useful. Yet very few people do >> this for GeoIP and practically nobody for ASN. >> >> It really helps to weed out false positives or defend in case of certain >> persistent attacks. >> >> Since good documentation on the subject is scare, here is how to get this >> into your setup: >> >> https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also covered in my 2nd webcast last week: >> https://www.youtube.com/watch?v=OBVwdqEFmX0) >> >> I have also covered this in my 2nd ModSec / CRS webcast last week (plus some >> additional interesting stuff): >> https://www.youtube.com/watch?v=OBVwdqEFmX0 >> >> Best, >> >> Christian >> >> >> -- >> Ultimately, motivation gets us started, >> but discipline and habit are what enable us to finish. >> -- Matthew Helmke >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2022-10-20 13:49:51
|
Ah, sweet. Had forgotten about this. Thanks azurit! On Thu, Oct 20, 2022 at 03:27:22PM +0200, az...@po... wrote: > Hi! > > > One idea I’m toying with is creating an interstitial page similar to > > Cloudflare’s “Checking your browser..” page. For ASNs which are > > problematic it would be a bit safer to force someone to perform a > > hCaptcha or something check before they can get through to the intended > > site and set a cookie. I think this might be possible but a little bit > > difficult to create entirely using mod_security though, so I’m thinking > > about writing a new (and relatively simple) Apache module. I’d love to > > hear if someone has already done this! > > > My ModSecurity reCAPTCHA library may help you with this, check it out (needs > Lua support in ModSec): > https://github.com/azurit/modsecurity-recaptcha > > > azurit > > > > > > > Joel > > > > > On 19 Oct 2022, at 12:04 am, Christian Folini > > > <chr...@ne...> wrote: > > > > > > Hi there, > > > > > > During the years, I have found the use of GeoIP (& ASN) information in > > > #ModSecurity / @CoreRuleSet very useful. Yet very few people do > > > this for GeoIP and practically nobody for ASN. > > > > > > It really helps to weed out false positives or defend in case of certain > > > persistent attacks. > > > > > > Since good documentation on the subject is scare, here is how to get this > > > into your setup: > > > > > > https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also > > > covered in my 2nd webcast last week: > > > https://www.youtube.com/watch?v=OBVwdqEFmX0) > > > > > > I have also covered this in my 2nd ModSec / CRS webcast last week (plus some > > > additional interesting stuff): > > > https://www.youtube.com/watch?v=OBVwdqEFmX0 > > > > > > Best, > > > > > > Christian > > > > > > > > > -- > > > Ultimately, motivation gets us started, > > > but discipline and habit are what enable us to finish. > > > -- Matthew Helmke > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X