search

owasp-modsecurity / ModSecurity-apache

ModSecurity v3 Apache Connector
Apache License 2.0
88 stars 51 forks source link

Question: iptables support (realtime server firewall) #61

Closed CanadianJeff closed 5 years ago

CanadianJeff commented 5 years ago

I feel logging events is a nice thing to have but for the more severe attacks we need a more aggressive firewall solution... for example right now in my apache logs I get automated scanners which most of us probley do as well

54.39.182.83 - - [01/Feb/2019:18:09:12 -0800] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 403 1930 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:12 -0800] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 403 1917 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:12 -0800] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 403 1917 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:13 -0800] "GET /pma/scripts/setup.php HTTP/1.1" 403 1910 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:13 -0800] "GET /myadmin/scripts/setup.php HTTP/1.1" 403 1914 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:13 -0800] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 403 1914 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:13 -0800] "GET /mysql/scripts/setup.php HTTP/1.1" 403 1912 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:14 -0800] "GET /admin/scripts/setup.php HTTP/1.1" 403 1912 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:14 -0800] "GET /dbadmin/scripts/setup.php HTTP/1.1" 403 1914 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:14 -0800] "GET /PMA/scripts/setup.php HTTP/1.1" 403 1910 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:14 -0800] "GET /sqladmin/scripts/setup.php HTTP/1.1" 403 1915 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:15 -0800] "GET /db/scripts/setup.php HTTP/1.1" 403 1909 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:15 -0800] "GET /cpadmin/scripts/setup.php HTTP/1.1" 403 1914 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:15 -0800] "GET /sqladm/scripts/setup.php HTTP/1.1" 403 1913 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:15 -0800] "GET /phpMyAdmin2/scripts/setup.php HTTP/1.1" 403 1918 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:16 -0800] "GET /my/scripts/setup.php HTTP/1.1" 403 1909 "-" "ZmEu"
54.39.182.83 - - [01/Feb/2019:18:09:16 -0800] "GET /cpadmindb/scripts/setup.php HTTP/1.1" 403 1916 "-" "ZmEu"

Looks like modesecurity does its job and gives back a 403 here which is great but now we have a stupid IP address up to no good and scanning our webserver which could probley escalate to more severe attacks later on.

I feel that bad guys should not only have the request blocked but the attacking IP as well so that it gets DROP in the iptables firewall after the first detection

54.39.182.83 - - [01/Feb/2019:18:09:12 -0800] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 403 1930 "-" "ZmEu"

followed by...

iptables -I INPUT -s 54.39.182.83 -j DROP
iptables -I FORWARD -s 54.39.182.83 -j DROP
iptables -I OUTPUT -d 54.39.182.83 -j DROP

if you get tons of false positives with this solution the end user will probley let you know in some fashion that they can no longer access your webserver

zimmerle commented 5 years ago

Hi @CanadianJeff,

The integration of an application-layer-firewall (e.i. ModSecurity) within a network-layer-firewall is something possible and seems like suit your specific use case that you have presented. There are, however, some things that should be tackled very carefully; one of those is the privilege separation.

In order to achieve such an objective, I recommend the utilization of SecRuleScript or exec action. Those could be used to trigger an external resource on your server. Could be used, for example, to manipulate a temporary database within the IP addresses that should be blocked in the network layer. This database could be consulted by an external process that will manipulate the iptables rules accordingly.

CanadianJeff commented 4 years ago

I would kinda like to revisit this?