Menu
▾
▴
mod-security-users
|
From: Jeffery W. <djc...@gm...> - 2020-12-26 08:33:38
|
im looking for some people who host http servers (apache/nginx) and who are familiar with mod_security and iptables firewalls the setup that I am after is if an IP address hits my website and does a typical vuln scan my web server sends them back no response and they silently get added to an iptables ipset blacklist that lasts for 1 week I already have mod_security (OWASP RULES) on my apache 2 server at (192.168.2.10) and a pfsense style firewall at (192.168.2.1) kind of like a web server honeypot if you will my current setup is already pretty powerful if you even send a simple TCP SYN packet to port 21,22 or even 23 you automatically get added to my routers firewall and dropped for 7 days for both in and outbound forgive me for asking alot but I really want to buckle down on these stupid automated vuln scanners and keep them off my network I have already looked into things like fail2ban but that only protects the webserver itself and does not integrate with my routers firewall at all protecting the network as a whole |
|
From: Reindl H. <h.r...@th...> - 2020-12-26 08:59:41
|
Am 26.12.20 um 10:15 schrieb Jeffery Wilkins: > im looking for some people who host http servers (apache/nginx) and who > are familiar with mod_security and iptables firewalls > the setup that I am after is if an IP address hits my website and does a > typical vuln scan my web server sends them back no response and they > silently get added to an iptables ipset blacklist that lasts for 1 week > I already have mod_security (OWASP RULES) on my apache 2 server at > (192.168.2.10) and a pfsense style firewall at (192.168.2.1) > kind of like a web server honeypot if you will > my current setup is already pretty powerful if you even send a simple > TCP SYN packet to port 21,22 or even 23 you automatically get added to > my routers firewall and dropped for 7 days for both in and outbound > forgive me for asking alot but I really want to buckle down on these > stupid automated vuln scanners and keep them off my network > I have already looked into things like fail2ban but that only protects > the webserver itself and does not integrate with my routers firewall at > all protecting the network as a whole you need some log parsing and do it outside the webserver modsec runs inside the webserver and if it would be possible to interact with iptables rules from a webserver process you would have a much larger problem my httpd can't even access shells thanks to systemd ProtectSystem=strict ReadWritePaths=-/data/www ReadWritePaths=-/data/xdebug ReadWritePaths=-/run/httpd ReadWritePaths=-/tmp ReadWritePaths=-/var/log ReadWritePaths=-/var/www/sessiondata ReadWritePaths=-/var/www/uploadtemp InaccessiblePaths=-/etc/anacrontab InaccessiblePaths=-/etc/cron.allow InaccessiblePaths=-/etc/cron.deny InaccessiblePaths=-/etc/crontab InaccessiblePaths=-/etc/crypttab InaccessiblePaths=-/etc/fstab InaccessiblePaths=-/etc/shadow InaccessiblePaths=-/etc/shadow- InaccessiblePaths=-/etc/nftables InaccessiblePaths=-/etc/sysconfig/ip6tables-config InaccessiblePaths=-/etc/sysconfig/ipset InaccessiblePaths=-/etc/sysconfig/iptables InaccessiblePaths=-/etc/sysconfig/iptables-config InaccessiblePaths=-/etc/sysconfig/nftables.conf InaccessiblePaths=-/etc/systemd/system/network-up.service InaccessiblePaths=-/etc/systemd/system/vpn.service InaccessiblePaths=-/etc/wireguard InaccessiblePaths=-/usr/libexec/arptables-helper InaccessiblePaths=-/usr/libexec/arptables-nft-helper InaccessiblePaths=-/usr/libexec/initscripts InaccessiblePaths=-/usr/libexec/iptables InaccessiblePaths=-/usr/libexec/sudo InaccessiblePaths=-/usr/libexec/udisks2 InaccessiblePaths=-/usr/sbin/arptables InaccessiblePaths=-/usr/sbin/arptables-nft InaccessiblePaths=-/usr/sbin/arptables-nft-restore InaccessiblePaths=-/usr/sbin/arptables-nft-save InaccessiblePaths=-/usr/sbin/arptables-restore InaccessiblePaths=-/usr/sbin/arptables-save InaccessiblePaths=-/usr/sbin/ebtables InaccessiblePaths=-/usr/sbin/ebtables-nft InaccessiblePaths=-/usr/sbin/ebtables-nft-restore InaccessiblePaths=-/usr/sbin/ebtables-nft-save InaccessiblePaths=-/usr/sbin/ebtables-restore InaccessiblePaths=-/usr/sbin/ebtables-save InaccessiblePaths=-/usr/sbin/ip6tables InaccessiblePaths=-/usr/sbin/ip6tables-nft InaccessiblePaths=-/usr/sbin/ip6tables-nft-restore InaccessiblePaths=-/usr/sbin/ip6tables-nft-save InaccessiblePaths=-/usr/sbin/ip6tables-restore InaccessiblePaths=-/usr/sbin/ip6tables-restore-translate InaccessiblePaths=-/usr/sbin/ip6tables-save InaccessiblePaths=-/usr/sbin/ip6tables-translate InaccessiblePaths=-/usr/sbin/ipset InaccessiblePaths=-/usr/sbin/iptables InaccessiblePaths=-/usr/sbin/iptables-apply InaccessiblePaths=-/usr/sbin/iptables-nft InaccessiblePaths=-/usr/sbin/iptables-nft-restore InaccessiblePaths=-/usr/sbin/iptables-nft-save InaccessiblePaths=-/usr/sbin/iptables-restore InaccessiblePaths=-/usr/sbin/iptables-restore-translate InaccessiblePaths=-/usr/sbin/iptables-save InaccessiblePaths=-/usr/sbin/iptables-translate InaccessiblePaths=-/usr/sbin/nfbpf_compile InaccessiblePaths=-/usr/sbin/nft InaccessiblePaths=-/usr/sbin/xtables-monitor InaccessiblePaths=-/usr/sbin/xtables-multi InaccessiblePaths=-/usr/sbin/xtables-nft-multi InaccessiblePaths=-/usr/sbin/agetty InaccessiblePaths=-/usr/sbin/alsactl InaccessiblePaths=-/usr/sbin/anacron InaccessiblePaths=-/usr/sbin/apachectl InaccessiblePaths=-/usr/sbin/arp InaccessiblePaths=-/usr/sbin/arpd InaccessiblePaths=-/usr/sbin/arping InaccessiblePaths=-/usr/sbin/auditctl InaccessiblePaths=-/usr/sbin/blkdiscard InaccessiblePaths=-/usr/sbin/brctl InaccessiblePaths=-/usr/sbin/bridge InaccessiblePaths=-/usr/sbin/cfdisk InaccessiblePaths=-/usr/sbin/chkconfig InaccessiblePaths=-/usr/sbin/consoletype InaccessiblePaths=-/usr/sbin/crond InaccessiblePaths=-/usr/sbin/ctstat InaccessiblePaths=-/usr/sbin/cupsctl InaccessiblePaths=-/usr/sbin/delpart InaccessiblePaths=-/usr/sbin/devlink InaccessiblePaths=-/usr/sbin/efibootdump InaccessiblePaths=-/usr/sbin/efibootmgr InaccessiblePaths=-/usr/sbin/ether-wake InaccessiblePaths=-/usr/sbin/ethtool InaccessiblePaths=-/usr/sbin/fdformat InaccessiblePaths=-/usr/sbin/fdisk InaccessiblePaths=-/usr/sbin/fping InaccessiblePaths=-/usr/sbin/fsck InaccessiblePaths=-/usr/sbin/fsfreeze InaccessiblePaths=-/usr/sbin/fuser InaccessiblePaths=-/usr/sbin/genhostid InaccessiblePaths=-/usr/sbin/genl InaccessiblePaths=-/usr/sbin/groupadd InaccessiblePaths=-/usr/sbin/grub2-bios-setup InaccessiblePaths=-/usr/sbin/grub2-install InaccessiblePaths=-/usr/sbin/grub2-macbless InaccessiblePaths=-/usr/sbin/grub2-mkconfig InaccessiblePaths=-/usr/sbin/grub2-reboot InaccessiblePaths=-/usr/sbin/grub2-rpm-sort InaccessiblePaths=-/usr/sbin/grub2-switch-to-blscfg InaccessiblePaths=-/usr/sbin/hwclock InaccessiblePaths=-/usr/sbin/ifcfg InaccessiblePaths=-/usr/sbin/ifconfig InaccessiblePaths=-/usr/sbin/ifdown InaccessiblePaths=-/usr/sbin/ifstat InaccessiblePaths=-/usr/sbin/ifup InaccessiblePaths=-/usr/sbin/insmod InaccessiblePaths=-/usr/sbin/ip InaccessiblePaths=-/usr/sbin/ipmaddr InaccessiblePaths=-/usr/sbin/iptunnel InaccessiblePaths=-/usr/sbin/lnstat InaccessiblePaths=-/usr/sbin/logwatch InaccessiblePaths=-/usr/sbin/lsmod InaccessiblePaths=-/usr/sbin/lspci InaccessiblePaths=-/usr/sbin/mii-diag InaccessiblePaths=-/usr/sbin/mii-tool InaccessiblePaths=-/usr/sbin/mkfs InaccessiblePaths=-/usr/sbin/mkfs.btrfs InaccessiblePaths=-/usr/sbin/mkfs.cramfs InaccessiblePaths=-/usr/sbin/mkfs.exfat InaccessiblePaths=-/usr/sbin/mkfs.ext2 InaccessiblePaths=-/usr/sbin/mkfs.ext3 InaccessiblePaths=-/usr/sbin/mkfs.ext4 InaccessiblePaths=-/usr/sbin/mkfs.f2fs InaccessiblePaths=-/usr/sbin/mkfs.fat InaccessiblePaths=-/usr/sbin/mkfs.minix InaccessiblePaths=-/usr/sbin/mkfs.msdos InaccessiblePaths=-/usr/sbin/mkfs.ntfs InaccessiblePaths=-/usr/sbin/mkfs.udf InaccessiblePaths=-/usr/sbin/mkfs.vfat InaccessiblePaths=-/usr/sbin/mkfs.xfs InaccessiblePaths=-/usr/sbin/mkswap InaccessiblePaths=-/usr/sbin/modprobe InaccessiblePaths=-/usr/sbin/nameif InaccessiblePaths=-/usr/sbin/netreport InaccessiblePaths=-/usr/sbin/netscsid InaccessiblePaths=-/usr/sbin/nstat InaccessiblePaths=-/usr/sbin/parted InaccessiblePaths=-/usr/sbin/partprobe InaccessiblePaths=-/usr/sbin/partx InaccessiblePaths=-/usr/sbin/pidof InaccessiblePaths=-/usr/sbin/ping InaccessiblePaths=-/usr/sbin/ping6 InaccessiblePaths=-/usr/sbin/plipconfig InaccessiblePaths=-/usr/sbin/poweroff InaccessiblePaths=-/usr/sbin/rdma InaccessiblePaths=-/usr/sbin/reboot InaccessiblePaths=-/usr/sbin/rmmod InaccessiblePaths=-/usr/sbin/rndc InaccessiblePaths=-/usr/sbin/rndc-confgen InaccessiblePaths=-/usr/sbin/route InaccessiblePaths=-/usr/sbin/routef InaccessiblePaths=-/usr/sbin/routel InaccessiblePaths=-/usr/sbin/rsyslogd InaccessiblePaths=-/usr/sbin/rtacct InaccessiblePaths=-/usr/sbin/rtkitctl InaccessiblePaths=-/usr/sbin/rtmon InaccessiblePaths=-/usr/sbin/rtpr InaccessiblePaths=-/usr/sbin/rtstat InaccessiblePaths=-/usr/sbin/runuser InaccessiblePaths=-/usr/sbin/service InaccessiblePaths=-/usr/sbin/setcap InaccessiblePaths=-/usr/sbin/setenforce InaccessiblePaths=-/usr/sbin/setpci InaccessiblePaths=-/usr/sbin/setquota InaccessiblePaths=-/usr/sbin/setsebool InaccessiblePaths=-/usr/sbin/sfdisk InaccessiblePaths=-/usr/sbin/slattach InaccessiblePaths=-/usr/sbin/smartctl InaccessiblePaths=-/usr/sbin/smbios-battery-ctl InaccessiblePaths=-/usr/sbin/smbios-keyboard-ctl InaccessiblePaths=-/usr/sbin/smbios-state-byte-ctl InaccessiblePaths=-/usr/sbin/smbios-thermal-ctl InaccessiblePaths=-/usr/sbin/smbios-token-ctl InaccessiblePaths=-/usr/sbin/smbios-upflag-ctl InaccessiblePaths=-/usr/sbin/smbios-wakeup-ctl InaccessiblePaths=-/usr/sbin/smbios-wireless-ctl InaccessiblePaths=-/usr/sbin/smokeping InaccessiblePaths=-/usr/sbin/ss InaccessiblePaths=-/usr/sbin/sshd InaccessiblePaths=-/usr/sbin/sushell InaccessiblePaths=-/usr/sbin/swapon InaccessiblePaths=-/usr/sbin/sysctl InaccessiblePaths=-/usr/sbin/sys-unconfig InaccessiblePaths=-/usr/sbin/tipc InaccessiblePaths=-/usr/sbin/tunctl InaccessiblePaths=-/usr/sbin/unhide InaccessiblePaths=-/usr/sbin/unhide_rb InaccessiblePaths=-/usr/sbin/unhide-tcp InaccessiblePaths=-/usr/sbin/useradd InaccessiblePaths=-/usr/sbin/usermod InaccessiblePaths=-/usr/sbin/usernetctl InaccessiblePaths=-/usr/sbin/wipefs InaccessiblePaths=-/usr/sbin/zramctl InaccessiblePaths=-/usr/bin/alsaloop InaccessiblePaths=-/usr/bin/alsamixer InaccessiblePaths=-/usr/bin/alsatplg InaccessiblePaths=-/usr/bin/alsaucm InaccessiblePaths=-/usr/bin/alsaunmute InaccessiblePaths=-/usr/bin/attr InaccessiblePaths=-/usr/bin/balooctl InaccessiblePaths=-/usr/bin/bash InaccessiblePaths=-/usr/bin/bootctl InaccessiblePaths=-/usr/bin/busctl InaccessiblePaths=-/usr/bin/chacl InaccessiblePaths=-/usr/bin/chattr InaccessiblePaths=-/usr/bin/cmp InaccessiblePaths=-/usr/bin/coredumpctl InaccessiblePaths=-/usr/bin/crontab InaccessiblePaths=-/usr/bin/csh InaccessiblePaths=-/usr/bin/dash InaccessiblePaths=-/usr/bin/dd InaccessiblePaths=-/usr/bin/df InaccessiblePaths=-/usr/bin/diff InaccessiblePaths=-/usr/bin/diff3 InaccessiblePaths=-/usr/bin/dmesg InaccessiblePaths=-/usr/bin/dnf InaccessiblePaths=-/usr/bin/dotty InaccessiblePaths=-/usr/bin/dracut InaccessiblePaths=-/usr/bin/evmctl InaccessiblePaths=-/usr/bin/free InaccessiblePaths=-/usr/bin/ftp InaccessiblePaths=-/usr/bin/getfacl InaccessiblePaths=-/usr/bin/getfattr InaccessiblePaths=-/usr/bin/grotty InaccessiblePaths=-/usr/bin/grub2-file InaccessiblePaths=-/usr/bin/grub2-menulst2cfg InaccessiblePaths=-/usr/bin/grub2-mkimage InaccessiblePaths=-/usr/bin/grub2-mkrelpath InaccessiblePaths=-/usr/bin/grub2-render-label InaccessiblePaths=-/usr/bin/grub2-script-check InaccessiblePaths=-/usr/bin/hostnamectl InaccessiblePaths=-/usr/bin/htop InaccessiblePaths=-/usr/bin/ipcmk InaccessiblePaths=-/usr/bin/journalctl InaccessiblePaths=-/usr/bin/keyctl InaccessiblePaths=-/usr/bin/kill InaccessiblePaths=-/usr/bin/killall InaccessiblePaths=-/usr/bin/ksh InaccessiblePaths=-/usr/bin/last InaccessiblePaths=-/usr/bin/localectl InaccessiblePaths=-/usr/bin/locate InaccessiblePaths=-/usr/bin/loginctl InaccessiblePaths=-/usr/bin/ls InaccessiblePaths=-/usr/bin/lsattr InaccessiblePaths=-/usr/bin/lsblk InaccessiblePaths=-/usr/bin/lsb_release InaccessiblePaths=-/usr/bin/lscpu InaccessiblePaths=-/usr/bin/lsdiff InaccessiblePaths=-/usr/bin/lsinitrd InaccessiblePaths=-/usr/bin/lsipc InaccessiblePaths=-/usr/bin/lslocks InaccessiblePaths=-/usr/bin/lslogins InaccessiblePaths=-/usr/bin/lsmem InaccessiblePaths=-/usr/bin/lsns InaccessiblePaths=-/usr/bin/lsof InaccessiblePaths=-/usr/bin/lsscsi InaccessiblePaths=-/usr/bin/lsusb InaccessiblePaths=-/usr/bin/lua InaccessiblePaths=-/usr/bin/lynis InaccessiblePaths=-/usr/bin/mail InaccessiblePaths=-/usr/bin/mkfifo InaccessiblePaths=-/usr/bin/mkinitrd InaccessiblePaths=-/usr/bin/mkisofs InaccessiblePaths=-/usr/bin/mknod InaccessiblePaths=-/usr/bin/mount InaccessiblePaths=-/usr/bin/mountpoint InaccessiblePaths=-/usr/bin/nc InaccessiblePaths=-/usr/bin/netcap InaccessiblePaths=-/usr/bin/netstat InaccessiblePaths=-/usr/bin/netstat-nat InaccessiblePaths=-/usr/bin/networkctl InaccessiblePaths=-/usr/bin/nmap InaccessiblePaths=-/usr/bin/nping InaccessiblePaths=-/usr/bin/nsenter InaccessiblePaths=-/usr/bin/pactl InaccessiblePaths=-/usr/bin/panelctl InaccessiblePaths=-/usr/bin/passwd InaccessiblePaths=-/usr/bin/peekfd InaccessiblePaths=-/usr/bin/pgrep InaccessiblePaths=-/usr/bin/pidof InaccessiblePaths=-/usr/bin/ping InaccessiblePaths=-/usr/bin/pkill InaccessiblePaths=-/usr/bin/pkttyagent InaccessiblePaths=-/usr/bin/pmap InaccessiblePaths=-/usr/bin/portablectl InaccessiblePaths=-/usr/bin/prtstat InaccessiblePaths=-/usr/bin/ps InaccessiblePaths=-/usr/bin/pslog InaccessiblePaths=-/usr/bin/pstree InaccessiblePaths=-/usr/bin/pstree.x11 InaccessiblePaths=-/usr/bin/pulseaudio InaccessiblePaths=-/usr/bin/pwdx InaccessiblePaths=-/usr/bin/python InaccessiblePaths=-/usr/bin/python2 InaccessiblePaths=-/usr/bin/python3 InaccessiblePaths=-/usr/bin/resolvectl InaccessiblePaths=-/usr/bin/rkhunter InaccessiblePaths=-/usr/bin/rpm InaccessiblePaths=-/usr/bin/rsync InaccessiblePaths=-/usr/bin/ruby InaccessiblePaths=-/usr/bin/scp InaccessiblePaths=-/usr/bin/screen InaccessiblePaths=-/usr/bin/sdiff InaccessiblePaths=-/usr/bin/setarch InaccessiblePaths=-/usr/bin/setcifsacl InaccessiblePaths=-/usr/bin/setfacl InaccessiblePaths=-/usr/bin/setfattr InaccessiblePaths=-/usr/bin/setpriv InaccessiblePaths=-/usr/bin/setsid InaccessiblePaths=-/usr/bin/setterm InaccessiblePaths=-/usr/bin/setxkbmap InaccessiblePaths=-/usr/bin/sftp InaccessiblePaths=-/usr/bin/sh InaccessiblePaths=-/usr/bin/skill InaccessiblePaths=-/usr/bin/slabtop InaccessiblePaths=-/usr/bin/snice InaccessiblePaths=-/usr/bin/ssh InaccessiblePaths=-/usr/bin/ssh-add InaccessiblePaths=-/usr/bin/ssh-agent InaccessiblePaths=-/usr/bin/ssh-copy-id InaccessiblePaths=-/usr/bin/ssh-keyscan InaccessiblePaths=-/usr/bin/strace InaccessiblePaths=-/usr/bin/strace-log-merg InaccessiblePaths=-/usr/bin/stty InaccessiblePaths=-/usr/bin/su InaccessiblePaths=-/usr/bin/sudo InaccessiblePaths=-/usr/bin/systemctl InaccessiblePaths=-/usr/bin/systemd-tty-ask-password-agent InaccessiblePaths=-/usr/bin/tcl InaccessiblePaths=-/usr/bin/tcptraceroute InaccessiblePaths=-/usr/bin/tcsh InaccessiblePaths=-/usr/bin/telnet InaccessiblePaths=-/usr/bin/timedatectl InaccessiblePaths=-/usr/bin/tload InaccessiblePaths=-/usr/bin/top InaccessiblePaths=-/usr/bin/tracepath InaccessiblePaths=-/usr/bin/traceroute InaccessiblePaths=-/usr/bin/traceroute6 InaccessiblePaths=-/usr/bin/tricklectl InaccessiblePaths=-/usr/bin/tty InaccessiblePaths=-/usr/bin/udisksctl InaccessiblePaths=-/usr/bin/umount InaccessiblePaths=-/usr/bin/updatedb InaccessiblePaths=-/usr/bin/uptime InaccessiblePaths=-/usr/bin/users InaccessiblePaths=-/usr/bin/vmstat InaccessiblePaths=-/usr/bin/vmtoolsd InaccessiblePaths=-/usr/bin/vmware-checkvm InaccessiblePaths=-/usr/bin/vmware-namespace-cmd InaccessiblePaths=-/usr/bin/vmware-rpctool InaccessiblePaths=-/usr/bin/vmware-toolbox-cmd InaccessiblePaths=-/usr/bin/vmware-xferlogs InaccessiblePaths=-/usr/bin/w InaccessiblePaths=-/usr/bin/wall InaccessiblePaths=-/usr/bin/watch InaccessiblePaths=-/usr/bin/wdctl InaccessiblePaths=-/usr/bin/wg InaccessiblePaths=-/usr/bin/wget InaccessiblePaths=-/usr/bin/who InaccessiblePaths=-/usr/bin/whoami InaccessiblePaths=-/usr/bin/zsh InaccessiblePaths=-/boot InaccessiblePaths=-/efi InaccessiblePaths=-/media InaccessiblePaths=-/run/media InaccessiblePaths=-/run/mount InaccessiblePaths=-/etc/cron.d InaccessiblePaths=-/etc/cron.daily InaccessiblePaths=-/etc/cron.hourly InaccessiblePaths=-/etc/cron.monthly InaccessiblePaths=-/etc/cron.weekly InaccessiblePaths=-/etc/dbus-1 InaccessiblePaths=-/etc/modprobe.d InaccessiblePaths=-/etc/modules-load.d InaccessiblePaths=-/etc/postfix InaccessiblePaths=-/etc/ssh InaccessiblePaths=-/etc/sysctl.d InaccessiblePaths=-/run/console InaccessiblePaths=-/run/dbus InaccessiblePaths=-/run/lock InaccessiblePaths=-/run/systemd/generator InaccessiblePaths=-/run/systemd/system InaccessiblePaths=-/run/systemd/users InaccessiblePaths=-/run/udev InaccessiblePaths=-/usr/lib/.build-id InaccessiblePaths=-/usr/lib/alsa InaccessiblePaths=-/usr/lib/cpp InaccessiblePaths=-/usr/lib/dracut InaccessiblePaths=-/usr/lib/dtrace InaccessiblePaths=-/usr/lib/firmware InaccessiblePaths=-/usr/lib/gcc InaccessiblePaths=-/usr/lib/grub InaccessiblePaths=-/usr/lib/kernel InaccessiblePaths=-/usr/lib/modprobe.d InaccessiblePaths=-/usr/lib/modules InaccessiblePaths=-/usr/lib/modules-load.d InaccessiblePaths=-/usr/lib/rpm InaccessiblePaths=-/usr/lib/sysctl.d InaccessiblePaths=-/usr/lib/udev InaccessiblePaths=-/usr/lib/vmware InaccessiblePaths=-/usr/lib/vmware-installer InaccessiblePaths=-/usr/lib/vmware-ovftool InaccessiblePaths=-/usr/lib/vmware-vix InaccessiblePaths=-/usr/lib64/dbus-1 InaccessiblePaths=-/usr/libexec/mlocate-run-updatedb InaccessiblePaths=-/usr/libexec/openssh InaccessiblePaths=-/usr/libexec/openssh/sftp-server InaccessiblePaths=-/usr/libexec/openssh/sshd-keygen InaccessiblePaths=-/usr/libexec/postfix InaccessiblePaths=-/usr/local/scripts InaccessiblePaths=-/var/db InaccessiblePaths=-/var/lib/dbus InaccessiblePaths=-/var/lib/dnf InaccessiblePaths=-/var/lib/rpm InaccessiblePaths=-/var/lib/systemd InaccessiblePaths=-/var/spool/anacron InaccessiblePaths=-/var/spool/clientmqueue InaccessiblePaths=-/var/spool/cron InaccessiblePaths=-/var/spool/exim InaccessiblePaths=-/var/spool/hylafax InaccessiblePaths=-/var/spool/lpd InaccessiblePaths=-/var/spool/mail InaccessiblePaths=-/var/spool/mqueue InaccessiblePaths=-/var/spool/postfix InaccessiblePaths=-/var/spool/squid InaccessiblePaths=-/var/spool/uucp |
|
From: jin&hitman&Barracuda <jin...@gm...> - 2020-12-26 09:11:24
|
Hi, I've used failban for a bunch of smtp servers and it didn't go well. But there is another project (crowdsec) and i guess that it is worth to mention here. The project have many features which failban don't have. I haven't try it yet but i will soon. May be you'd like to look at it. Crowdsec: A Fail2Ban alternative written in Go - https://github.com/crowdsecurity/crowdsec By the way, while i was using failban, i had a script (which i wrote) to add/remove ip adresses to openbsd firewall which is a lot easier than iptables. On Sat, Dec 26, 2020, 11:37 Jeffery Wilkins <djc...@gm...> wrote: > im looking for some people who host http servers (apache/nginx) and who > are familiar with mod_security and iptables firewalls > the setup that I am after is if an IP address hits my website and does a > typical vuln scan my web server sends them back no response and they > silently get added to an iptables ipset blacklist that lasts for 1 week > I already have mod_security (OWASP RULES) on my apache 2 server at > (192.168.2.10) and a pfsense style firewall at (192.168.2.1) > kind of like a web server honeypot if you will > my current setup is already pretty powerful if you even send a simple > TCP SYN packet to port 21,22 or even 23 you automatically get added to > my routers firewall and dropped for 7 days for both in and outbound > forgive me for asking alot but I really want to buckle down on these > stupid automated vuln scanners and keep them off my network > I have already looked into things like fail2ban but that only protects > the webserver itself and does not integrate with my routers firewall at > all protecting the network as a whole > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Reindl H. <h.r...@th...> - 2020-12-26 09:42:35
|
Am 26.12.20 um 10:11 schrieb jin&hitman&Barracuda: > Hi, > > I've used failban for a bunch of smtp servers and it didn't go well. But > there is another project (crowdsec) and i guess that it is worth to > mention here. The project have many features which failban don't have. I > haven't try it yet but i will soon. May be you'd like to look at it. > > Crowdsec: A Fail2Ban alternative written in Go - > https://github.com/crowdsecurity/crowdsec > <https://github.com/crowdsecurity/crowdsec> > > By the way, while i was using failban, i had a script (which i wrote) to > add/remove ip adresses to openbsd firewall which is a lot easier than > iptables. you don't write iptables rules for each and every address https://ipset.netfilter.org/ is your friend https://ipset.netfilter.org/ipset.man.html * you have *one* iptables rule with the ipset match * one command adds or removes and ip to the set * it's dramatically faster -> hash-table * you can block millions of ips without performance drop > On Sat, Dec 26, 2020, 11:37 Jeffery Wilkins <djc...@gm... > <mailto:djc...@gm...>> wrote: > > im looking for some people who host http servers (apache/nginx) and who > are familiar with mod_security and iptables firewalls > the setup that I am after is if an IP address hits my website and > does a > typical vuln scan my web server sends them back no response and they > silently get added to an iptables ipset blacklist that lasts for 1 week > I already have mod_security (OWASP RULES) on my apache 2 server at > (192.168.2.10) and a pfsense style firewall at (192.168.2.1) > kind of like a web server honeypot if you will > my current setup is already pretty powerful if you even send a simple > TCP SYN packet to port 21,22 or even 23 you automatically get added to > my routers firewall and dropped for 7 days for both in and outbound > forgive me for asking alot but I really want to buckle down on these > stupid automated vuln scanners and keep them off my network > I have already looked into things like fail2ban but that only protects > the webserver itself and does not integrate with my routers firewall at > all protecting the network as a whole |
|
From: Reindl H. <h.r...@th...> - 2020-12-26 09:45:29
|
Am 26.12.20 um 10:42 schrieb Reindl Harald: > > > Am 26.12.20 um 10:11 schrieb jin&hitman&Barracuda: >> Hi, >> >> I've used failban for a bunch of smtp servers and it didn't go well. >> But there is another project (crowdsec) and i guess that it is worth >> to mention here. The project have many features which failban don't >> have. I haven't try it yet but i will soon. May be you'd like to look >> at it. >> >> Crowdsec: A Fail2Ban alternative written in Go - >> https://github.com/crowdsecurity/crowdsec >> <https://github.com/crowdsecurity/crowdsec> >> >> By the way, while i was using failban, i had a script (which i wrote) >> to add/remove ip adresses to openbsd firewall which is a lot easier >> than iptables. > > you don't write iptables rules for each and every address > > https://ipset.netfilter.org/ is your friend > https://ipset.netfilter.org/ipset.man.html > > * you have *one* iptables rule with the ipset match > * one command adds or removes and ip to the set > * it's dramatically faster -> hash-table > * you can block millions of ips without performance drop forgot the most important feature: it supports auto-expire you only care about add abusers [root@firewall:~]$ ipset -L BLOCKED_DYNAMIC_PORTSCAN_IPV4 | head -n 50 Name: BLOCKED_DYNAMIC_PORTSCAN_IPV4 Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 45 Size in memory: 98504 References: 3 Number of entries: 266 Members: 68.183.38.8 timeout 28 222.161.223.54 timeout 44 91.231.254.219 timeout 31 51.159.185.247 timeout 11 51.158.186.43 timeout 23 37.46.150.2 timeout 3 42.191.21.171 timeout 40 51.158.168.219 timeout 9 151.115.60.156 timeout 29 123.17.99.37 timeout 37 51.15.139.1 timeout 37 51.158.101.159 timeout 41 151.115.34.215 timeout 43 74.120.14.73 timeout 4 80.82.65.74 timeout 1 46.73.126.93 timeout 21 182.61.19.225 timeout 21 74.120.14.80 timeout 8 45.129.33.154 timeout 10 45.129.33.162 timeout 19 94.102.51.28 timeout 28 188.166.82.19 timeout 23 49.51.244.189 timeout 28 71.6.233.196 timeout 15 182.73.150.18 timeout 18 151.115.50.105 timeout 33 71.6.233.244 timeout 23 167.248.133.65 timeout 11 163.172.139.239 timeout 26 92.63.197.61 timeout 41 167.248.133.93 timeout 25 194.26.25.108 timeout 32 162.142.125.92 timeout 20 1.202.11.206 timeout 5 5.63.151.112 timeout 16 51.158.119.240 timeout 16 87.103.208.30 timeout 22 192.35.169.33 timeout 18 51.158.100.175 timeout 35 151.115.44.238 timeout 13 45.129.33.166 timeout 20 223.31.231.202 timeout 29 [root@firewall:~]$ |
|
From: jin&hitman&Barracuda <jin...@gm...> - 2020-12-26 15:00:51
|
Hi, I'm not here to argue about iptables (or ipsets) and i did not say that every and each address needs a iptables rule. I just said, a lot easier than *iptables*. At the time ipsets introduced, there was some design flaw like; - ipsets did not support to load host (/32) address and networks into single table. It needs to be load i as separate tables. - under same conditions and same hardware, ipsets was need more time to load/reload sets/tables than pf. - When you need to use a file to load sample of addresses, you need to specifically design that file because ipset doesn't support to load a list of address from a simple text file. Each and every line should be start with "add" key word and should continue with "<ipset_name>" and "ip address". Also you have to add ipset create stanza on the very beginning of that file. On the contrary, pf can load address from a simple file and yet there is no need to add anything to that file or divide address list into host address and network address. I did not use ipsets after than rhel6, there must be some improvements but i doubt that it will be useful as pf does. On Sat, Dec 26, 2020 at 12:46 PM Reindl Harald <h.r...@th...> wrote: > > > Am 26.12.20 um 10:11 schrieb jin&hitman&Barracuda: > > Hi, > > > > I've used failban for a bunch of smtp servers and it didn't go well. But > > there is another project (crowdsec) and i guess that it is worth to > > mention here. The project have many features which failban don't have. I > > haven't try it yet but i will soon. May be you'd like to look at it. > > > > Crowdsec: A Fail2Ban alternative written in Go - > > https://github.com/crowdsecurity/crowdsec > > <https://github.com/crowdsecurity/crowdsec> > > > > By the way, while i was using failban, i had a script (which i wrote) to > > add/remove ip adresses to openbsd firewall which is a lot easier than > > iptables. > > you don't write iptables rules for each and every address > > https://ipset.netfilter.org/ is your friend > https://ipset.netfilter.org/ipset.man.html > > * you have *one* iptables rule with the ipset match > * one command adds or removes and ip to the set > * it's dramatically faster -> hash-table > * you can block millions of ips without performance drop > > > On Sat, Dec 26, 2020, 11:37 Jeffery Wilkins <djc...@gm... > > <mailto:djc...@gm...>> wrote: > > > > im looking for some people who host http servers (apache/nginx) and > who > > are familiar with mod_security and iptables firewalls > > the setup that I am after is if an IP address hits my website and > > does a > > typical vuln scan my web server sends them back no response and they > > silently get added to an iptables ipset blacklist that lasts for 1 > week > > I already have mod_security (OWASP RULES) on my apache 2 server at > > (192.168.2.10) and a pfsense style firewall at (192.168.2.1) > > kind of like a web server honeypot if you will > > my current setup is already pretty powerful if you even send a simple > > TCP SYN packet to port 21,22 or even 23 you automatically get added > to > > my routers firewall and dropped for 7 days for both in and outbound > > forgive me for asking alot but I really want to buckle down on these > > stupid automated vuln scanners and keep them off my network > > I have already looked into things like fail2ban but that only > protects > > the webserver itself and does not integrate with my routers firewall > at > > all protecting the network as a whole > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- *There is no place like "/home"* *Tuco (Benedicto Pacifico Juan Maria) Ramirez* |
|
From: Reindl H. <h.r...@th...> - 2020-12-26 15:16:47
|
firsat: may i ask you why you respond with html to plaintext mails?
Am 26.12.20 um 16:00 schrieb jin&hitman&Barracuda:
> Hi,
>
> I'm not here to argue about iptables (or ipsets) and i did not say that
> every and each address needs a iptables rule. I just said, a lot easier
> than *iptables*. At the time ipsets introduced, there was some design
> flaw like;
>
> - ipsets did not support to load host (/32) address and networks into
> single table. It needs to be load i as separate tables
not true! "Type: hash:net" has no problem with /32
if you use "hash:ip" but want to mix: a fool with a tool is still a fool
--------------------------
real-world ipset from a datacenter firewall
Name: BLOCKED_IPV4
Type: hash:net
Header: family inet hashsize 1024 maxelem 512
Size in memory: 3520
Number of entries: 51
Members:
3.112.171.163
18.130.64.226
31.28.163.0/24
31.28.170.0/24
--------------------------
> - under same conditions and same hardware, ipsets was need more time to
> load/reload sets/tables than pf
how often do you reboot?
> - When you need to use a file to load sample of addresses, you need to
> specifically design that file because ipset doesn't support to load a
> list of address from a simple text file. Each and every line should be
> start with "add" key word and should continue with "<ipset_name>" and
> "ip address". Also you have to add ipset create stanza on the very
> beginning of that file. On the contrary, pf can load address from a
> simple file and yet there is no need to add anything to that file or
> divide address list into host address and network address.
hell, that's what save/restore is for
a) ipset -file /etc/sysconfig/ipset restore
one time at reboot before restore
iptables/iptables-nft
b) ipset -file /etc/sysconfig/ipset save
each time you made changes which should
survive a reboot
and when you want to load from a textfile you just loop trough the
textfile and so "ipset add IPSET_NAME VALUE" which is a 1-liner if you want
> I did not use ipsets after than rhel6, there must be some improvements
RHEL6 is a long time ago
AFAIK you needed redirection instead -file to begin with
> but i doubt that it will be useful as pf does.
jesus christ......
and even if PF has some advantages nobody will switch to openbsd because
of that and if it's only because there is no systemd, initscripts are crap
> On Sat, Dec 26, 2020 at 12:46 PM Reindl Harald <h.r...@th...
> <mailto:h.r...@th...>> wrote:
>
>
>
> Am 26.12.20 um 10:11 schrieb jin&hitman&Barracuda:
> > Hi,
> >
> > I've used failban for a bunch of smtp servers and it didn't go
> well. But
> > there is another project (crowdsec) and i guess that it is worth to
> > mention here. The project have many features which failban don't
> have. I
> > haven't try it yet but i will soon. May be you'd like to look at it.
> >
> > Crowdsec: A Fail2Ban alternative written in Go -
> > https://github.com/crowdsecurity/crowdsec
> <https://github.com/crowdsecurity/crowdsec>
> > <https://github.com/crowdsecurity/crowdsec
> <https://github.com/crowdsecurity/crowdsec>>
> >
> > By the way, while i was using failban, i had a script (which i
> wrote) to
> > add/remove ip adresses to openbsd firewall which is a lot easier
> than
> > iptables.
>
> you don't write iptables rules for each and every address
>
> https://ipset.netfilter.org/ <https://ipset.netfilter.org/> is your
> friend
> https://ipset.netfilter.org/ipset.man.html
> <https://ipset.netfilter.org/ipset.man.html>
>
> * you have *one* iptables rule with the ipset match
> * one command adds or removes and ip to the set
> * it's dramatically faster -> hash-table
> * you can block millions of ips without performance drop
>
> > On Sat, Dec 26, 2020, 11:37 Jeffery Wilkins
> <djc...@gm... <mailto:djc...@gm...>
> > <mailto:djc...@gm...
> <mailto:djc...@gm...>>> wrote:
> >
> > im looking for some people who host http servers
> (apache/nginx) and who
> > are familiar with mod_security and iptables firewalls
> > the setup that I am after is if an IP address hits my website and
> > does a
> > typical vuln scan my web server sends them back no response
> and they
> > silently get added to an iptables ipset blacklist that lasts
> for 1 week
> > I already have mod_security (OWASP RULES) on my apache 2
> server at
> > (192.168.2.10) and a pfsense style firewall at (192.168.2.1)
> > kind of like a web server honeypot if you will
> > my current setup is already pretty powerful if you even send
> a simple
> > TCP SYN packet to port 21,22 or even 23 you automatically get
> added to
> > my routers firewall and dropped for 7 days for both in and
> outbound
> > forgive me for asking alot but I really want to buckle down
> on these
> > stupid automated vuln scanners and keep them off my network
> > I have already looked into things like fail2ban but that only
> protects
> > the webserver itself and does not integrate with my routers
> firewall at
> > all protecting the network as a whole
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> <mailto:mod...@li...>
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> <https://lists.sourceforge.net/lists/listinfo/mod-security-users>
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> <http://www.modsecurity.org/projects/commercial/rules/>
> http://www.modsecurity.org/projects/commercial/support/
> <http://www.modsecurity.org/projects/commercial/support/>
|
|
From: jin&hitman&Barracuda <jin...@gm...> - 2020-12-26 16:57:12
|
Sorry to html mails but there is no chance to replace. In the first mail 'djc...@gm...' mentioned that he/she needs for a solution for pfsense. You didn't read it, did you ? (Please don't answer, it's obvious) I never wanted to be the guy who have to argue with a Linux fanatic which thinks systemd is a salvation. Nope, never and ever and God my witness. God, i beg you to don't push me that hard, don't let me be that guy. By the way, it must be a miracle to have a dc fw that has 51 record. Glorious... I sould have to thank you because you entertained me well. All of them are just a joke but you know that you started this. djc...@gm..., i'm really sorry to bother you because honestly i just wanted to share something that could help you. Usually, i never poke or push people to argue with me. On Sat, Dec 26, 2020, 18:20 Reindl Harald <h.r...@th...> wrote: > firsat: may i ask you why you respond with html to plaintext mails? > > Am 26.12.20 um 16:00 schrieb jin&hitman&Barracuda: > > Hi, > > > > I'm not here to argue about iptables (or ipsets) and i did not say that > > every and each address needs a iptables rule. I just said, a lot easier > > than *iptables*. At the time ipsets introduced, there was some design > > flaw like; > > > > - ipsets did not support to load host (/32) address and networks into > > single table. It needs to be load i as separate tables > > not true! "Type: hash:net" has no problem with /32 > > if you use "hash:ip" but want to mix: a fool with a tool is still a fool > > -------------------------- > > real-world ipset from a datacenter firewall > > Name: BLOCKED_IPV4 > Type: hash:net > Header: family inet hashsize 1024 maxelem 512 > Size in memory: 3520 > Number of entries: 51 > > Members: > 3.112.171.163 > 18.130.64.226 > 31.28.163.0/24 > 31.28.170.0/24 > > -------------------------- > > > - under same conditions and same hardware, ipsets was need more time to > > load/reload sets/tables than pf > > how often do you reboot? > > > - When you need to use a file to load sample of addresses, you need to > > specifically design that file because ipset doesn't support to load a > > list of address from a simple text file. Each and every line should be > > start with "add" key word and should continue with "<ipset_name>" and > > "ip address". Also you have to add ipset create stanza on the very > > beginning of that file. On the contrary, pf can load address from a > > simple file and yet there is no need to add anything to that file or > > divide address list into host address and network address. > > hell, that's what save/restore is for > > a) ipset -file /etc/sysconfig/ipset restore > one time at reboot before restore > iptables/iptables-nft > b) ipset -file /etc/sysconfig/ipset save > each time you made changes which should > survive a reboot > > and when you want to load from a textfile you just loop trough the > textfile and so "ipset add IPSET_NAME VALUE" which is a 1-liner if you want > > > I did not use ipsets after than rhel6, there must be some improvements > > RHEL6 is a long time ago > AFAIK you needed redirection instead -file to begin with > > > but i doubt that it will be useful as pf does. > > jesus christ...... > > and even if PF has some advantages nobody will switch to openbsd because > of that and if it's only because there is no systemd, initscripts are crap > > > On Sat, Dec 26, 2020 at 12:46 PM Reindl Harald <h.r...@th... > > <mailto:h.r...@th...>> wrote: > > > > > > > > Am 26.12.20 um 10:11 schrieb jin&hitman&Barracuda: > > > Hi, > > > > > > I've used failban for a bunch of smtp servers and it didn't go > > well. But > > > there is another project (crowdsec) and i guess that it is worth > to > > > mention here. The project have many features which failban don't > > have. I > > > haven't try it yet but i will soon. May be you'd like to look at > it. > > > > > > Crowdsec: A Fail2Ban alternative written in Go - > > > https://github.com/crowdsecurity/crowdsec > > <https://github.com/crowdsecurity/crowdsec> > > > <https://github.com/crowdsecurity/crowdsec > > <https://github.com/crowdsecurity/crowdsec>> > > > > > > By the way, while i was using failban, i had a script (which i > > wrote) to > > > add/remove ip adresses to openbsd firewall which is a lot easier > > than > > > iptables. > > > > you don't write iptables rules for each and every address > > > > https://ipset.netfilter.org/ <https://ipset.netfilter.org/> is your > > friend > > https://ipset.netfilter.org/ipset.man.html > > <https://ipset.netfilter.org/ipset.man.html> > > > > * you have *one* iptables rule with the ipset match > > * one command adds or removes and ip to the set > > * it's dramatically faster -> hash-table > > * you can block millions of ips without performance drop > > > > > On Sat, Dec 26, 2020, 11:37 Jeffery Wilkins > > <djc...@gm... <mailto:djc...@gm...> > > > <mailto:djc...@gm... > > <mailto:djc...@gm...>>> wrote: > > > > > > im looking for some people who host http servers > > (apache/nginx) and who > > > are familiar with mod_security and iptables firewalls > > > the setup that I am after is if an IP address hits my website > and > > > does a > > > typical vuln scan my web server sends them back no response > > and they > > > silently get added to an iptables ipset blacklist that lasts > > for 1 week > > > I already have mod_security (OWASP RULES) on my apache 2 > > server at > > > (192.168.2.10) and a pfsense style firewall at (192.168.2.1) > > > kind of like a web server honeypot if you will > > > my current setup is already pretty powerful if you even send > > a simple > > > TCP SYN packet to port 21,22 or even 23 you automatically get > > added to > > > my routers firewall and dropped for 7 days for both in and > > outbound > > > forgive me for asking alot but I really want to buckle down > > on these > > > stupid automated vuln scanners and keep them off my network > > > I have already looked into things like fail2ban but that only > > protects > > > the webserver itself and does not integrate with my routers > > firewall at > > > all protecting the network as a whole > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > <mailto:mod...@li...> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > <https://lists.sourceforge.net/lists/listinfo/mod-security-users> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > <http://www.modsecurity.org/projects/commercial/rules/> > > http://www.modsecurity.org/projects/commercial/support/ > > <http://www.modsecurity.org/projects/commercial/support/> > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Reindl H. <h.r...@th...> - 2020-12-26 17:05:45
|
Am 26.12.20 um 17:56 schrieb jin&hitman&Barracuda: > Sorry to html mails but there is no chance to replace. > > In the first mail 'djc...@gm... > <mailto:djc...@gm...>' mentioned that he/she needs for a > solution for pfsense. You didn't read it, did you ? (Please don't > answer, it's obvious) that's why "iptables" is part of the subject? "pfsense style firewall" - you emtioned the "style"? > I never wanted to be the guy who have to argue with a Linux fanatic > which thinks systemd is a salvation. Nope, never and ever and God my > witness. God, i beg you to don't push me that hard, don't let me be that > guy. disclaimer: this is a BSD guy and the subject is misleading: https://www.youtube.com/watch?v=o_AIw9bGogo > By the way, it must be a miracle to have a dc fw that has 51 record. > Glorious... idiot that's one out of 25 ipsets, the manual blocklist IPSET - OVERVIEW 970 BLOCKED_FEED_IPV4 hash:net 208 BLOCKED_DYNAMIC_PORTSCAN_IPV4 hash:ip timeout:45 161 PORTS_RESTRICTED bitmap:port 131 OUTBOUND_BLOCKED_PORTS bitmap:port 69 PORTSCAN_PORTS bitmap:port 63 HONEYPOT_PORTS bitmap:port 51 BLOCKED_IPV4 hash:net 18 INFRASTRUCTURE_IPV4 hash:net 18 HONEYPOT_IPS_IPV4 hash:net 13 IANA_RESERVED_IPV4 hash:net 13 ADMIN_CLIENTS_IPV4 hash:net 11 OUTBOUND_BLOCKED_SRC_IPV4 hash:net 11 LAN_VPN_FORWARDING_IPV4 hash:net 8 EXCLUDES_IPV4 hash:net 7 PORTS_MAIL bitmap:port 5 RESTRICTED_IPV4 hash:net 5 IPERF_IPV4 hash:net 4 RBL_SYNC_IPV4 hash:net 4 JABBER_IPV4 hash:net 4 BAYES_SYNC_IPV4 hash:net 3 BLOCKED_MERGED_IPV4 list:set 2 DNS_PORTS bitmap:port 1 BLOCKED_DYNAMIC_MAIL_IPV4 hash:ip timeout:60 ----------------------- RULES ----------------------- 264 IPV4 total 206 IPV4 filter 32 IPV4 mangle 18 IPV4 raw 8 IPV4 nat ----------------------- CHAINS ----------------------- 65 IPV4 total 53 IPV4 filter 9 IPV4 mangle 2 IPV4 raw 1 IPV4 nat > I sould have to thank you because you entertained me well. All of them > are just a joke but you know that you started this. as said: you are an idiot > On Sat, Dec 26, 2020, 18:20 Reindl Harald <h.r...@th... > <mailto:h.r...@th...>> wrote: > > firsat: may i ask you why you respond with html to plaintext mails? > > Am 26.12.20 um 16:00 schrieb jin&hitman&Barracuda: > > Hi, > > > > I'm not here to argue about iptables (or ipsets) and i did not > say that > > every and each address needs a iptables rule. I just said, a lot > easier > > than *iptables*. At the time ipsets introduced, there was some > design > > flaw like; > > > > - ipsets did not support to load host (/32) address and networks > into > > single table. It needs to be load i as separate tables > > not true! "Type: hash:net" has no problem with /32 > > if you use "hash:ip" but want to mix: a fool with a tool is still a fool > > -------------------------- > > real-world ipset from a datacenter firewall > > Name: BLOCKED_IPV4 > Type: hash:net > Header: family inet hashsize 1024 maxelem 512 > Size in memory: 3520 > Number of entries: 51 > > Members: > 3.112.171.163 > 18.130.64.226 > 31.28.163.0/24 <http://31.28.163.0/24> > 31.28.170.0/24 <http://31.28.170.0/24> > > -------------------------- > > > - under same conditions and same hardware, ipsets was need more > time to > > load/reload sets/tables than pf > > how often do you reboot? > > > - When you need to use a file to load sample of addresses, you > need to > > specifically design that file because ipset doesn't support to > load a > > list of address from a simple text file. Each and every line > should be > > start with "add" key word and should continue with "<ipset_name>" > and > > "ip address". Also you have to add ipset create stanza on the very > > beginning of that file. On the contrary, pf can load address from a > > simple file and yet there is no need to add anything to that file or > > divide address list into host address and network address. > > hell, that's what save/restore is for > > a) ipset -file /etc/sysconfig/ipset restore > one time at reboot before restore > iptables/iptables-nft > b) ipset -file /etc/sysconfig/ipset save > each time you made changes which should > survive a reboot > > and when you want to load from a textfile you just loop trough the > textfile and so "ipset add IPSET_NAME VALUE" which is a 1-liner if > you want > > > I did not use ipsets after than rhel6, there must be some > improvements > > RHEL6 is a long time ago > AFAIK you needed redirection instead -file to begin with > > > but i doubt that it will be useful as pf does. > > jesus christ...... > > and even if PF has some advantages nobody will switch to openbsd > because > of that and if it's only because there is no systemd, initscripts > are crap > > > On Sat, Dec 26, 2020 at 12:46 PM Reindl Harald > <h.r...@th... <mailto:h.r...@th...> > > <mailto:h.r...@th... <mailto:h.r...@th...>>> > wrote: > > > > > > > > Am 26.12.20 um 10:11 schrieb jin&hitman&Barracuda: > > > Hi, > > > > > > I've used failban for a bunch of smtp servers and it didn't go > > well. But > > > there is another project (crowdsec) and i guess that it is > worth to > > > mention here. The project have many features which failban > don't > > have. I > > > haven't try it yet but i will soon. May be you'd like to > look at it. > > > > > > Crowdsec: A Fail2Ban alternative written in Go - > > > https://github.com/crowdsecurity/crowdsec > <https://github.com/crowdsecurity/crowdsec> > > <https://github.com/crowdsecurity/crowdsec > <https://github.com/crowdsecurity/crowdsec>> > > > <https://github.com/crowdsecurity/crowdsec > <https://github.com/crowdsecurity/crowdsec> > > <https://github.com/crowdsecurity/crowdsec > <https://github.com/crowdsecurity/crowdsec>>> > > > > > > By the way, while i was using failban, i had a script (which i > > wrote) to > > > add/remove ip adresses to openbsd firewall which is a lot > easier > > than > > > iptables. > > > > you don't write iptables rules for each and every address > > > > https://ipset.netfilter.org/ <https://ipset.netfilter.org/> > <https://ipset.netfilter.org/ <https://ipset.netfilter.org/>> is your > > friend > > https://ipset.netfilter.org/ipset.man.html > <https://ipset.netfilter.org/ipset.man.html> > > <https://ipset.netfilter.org/ipset.man.html > <https://ipset.netfilter.org/ipset.man.html>> > > > > * you have *one* iptables rule with the ipset match > > * one command adds or removes and ip to the set > > * it's dramatically faster -> hash-table > > * you can block millions of ips without performance drop > > > > > On Sat, Dec 26, 2020, 11:37 Jeffery Wilkins > > <djc...@gm... <mailto:djc...@gm...> > <mailto:djc...@gm... <mailto:djc...@gm...>> > > > <mailto:djc...@gm... > <mailto:djc...@gm...> > > <mailto:djc...@gm... > <mailto:djc...@gm...>>>> wrote: > > > > > > im looking for some people who host http servers > > (apache/nginx) and who > > > are familiar with mod_security and iptables firewalls > > > the setup that I am after is if an IP address hits my > website and > > > does a > > > typical vuln scan my web server sends them back no > response > > and they > > > silently get added to an iptables ipset blacklist that > lasts > > for 1 week > > > I already have mod_security (OWASP RULES) on my apache 2 > > server at > > > (192.168.2.10) and a pfsense style firewall at > (192.168.2.1) > > > kind of like a web server honeypot if you will > > > my current setup is already pretty powerful if you > even send > > a simple > > > TCP SYN packet to port 21,22 or even 23 you > automatically get > > added to > > > my routers firewall and dropped for 7 days for both in and > > outbound > > > forgive me for asking alot but I really want to buckle > down > > on these > > > stupid automated vuln scanners and keep them off my > network > > > I have already looked into things like fail2ban but > that only > > protects > > > the webserver itself and does not integrate with my > routers > > firewall at > > > all protecting the network as a whole > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > <mailto:mod...@li...> > > <mailto:mod...@li... > <mailto:mod...@li...>> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > <https://lists.sourceforge.net/lists/listinfo/mod-security-users> > > > <https://lists.sourceforge.net/lists/listinfo/mod-security-users > <https://lists.sourceforge.net/lists/listinfo/mod-security-users>> > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > <http://www.modsecurity.org/projects/commercial/rules/> > > <http://www.modsecurity.org/projects/commercial/rules/ > <http://www.modsecurity.org/projects/commercial/rules/>> > > http://www.modsecurity.org/projects/commercial/support/ > <http://www.modsecurity.org/projects/commercial/support/> > > <http://www.modsecurity.org/projects/commercial/support/ > <http://www.modsecurity.org/projects/commercial/support/>> |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X