fl0ppy-d1sk
commented
4 years ago Hello @thelittlefireman, thanks for your suggestion.
From what I understand, teler is only detecting and not preventing. The database of resources is hosted at kitabisa/teler-resources and consists of :
- Common Web Attack from PHPIDS : this is outdated and ModSecurity+CRS should cover this
- CVE from nuclei-templates : looks interesting
- Bad IP & bad referrer from nginx ultimate bad bot blocker
- Bad crawlers from Crawler-Detect : might be useful too
- Directory bruteforce from dirsearch : bunkerized-nginx already offers rate limiting + fail2ban, I think it should be enough
We already download bad User-Agent list from nginx-ultimate-bad-bot-blocker. They also have bad IP and referrer lists, I will look into it deeper.
The Fail2Ban.WebExploits list contains too much generic urls like /admin, /blog, /demo, ... and will surely lead to FPs as you said. Fail2ban setup with 404 error codes should be enough IMO.
Let's keep this issue open while we integrate interesting stuff from these projects.
thelittlefireman
As a memo, these are some useful repos that could be added in bunkerized maybe ?
https://github.com/kitabisa/teler
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
https://github.com/bigalownz/Fail2Ban.WebExploits
Some tests need to be done to avoid false positive with wordPress and other common sites.
Thanks :) Thomas