I have been investigating what could be done with an extension like modsecurity 3 with nginx and have a high level idea and could use some feedback. In many ways, it's more like I have a hammer (modsecurity 3) or lua and what could I do with it. Is there really a need given fail2ban seems to solve some of the same problems.
Note: if you already run 0-trust than this has no value. This is attempting to provide some of the benefits of 0-trust. Geo blocking is another simple FW mitigation that can be done and is dead simple given the available and free access to cidr's by country.
Big goal is shrink 2**32 for possible legitimate ipv4 access.We have a tool that can prime the whitelist from successful logins (audit logs) to mitigate performance and FP implications.
The rules then become this once they authenticate:At which point, they will hit this first rule or something like this where we turn off further processing for them.For other ip's, like user-agents that are python, etc they go through further rule exploration where they may or may not be placed into our ipset on the fly with a rule like this:or potentially blocked by OWASP Core Rule Set (CRS) if they are attempting to exploit an unknown flaw.
I started looking at some cookies but don't have a very good handle on what would constitute a valid authenticated user. I have debugging turned on with modsecurity so that will show me the response headers but am more at the how could this work phase and what would be the best way to identify a valid user. I am also a little worried at how not to kill performance with the check for valid ip address and the best way to dynamic add/remove them which could be the killer reason not to try it.
I don't have any solution yet for pop/imap/submission so my "hammer" may not be capable enough. Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Thoughts, ideas, concerns?
Jim
Note: if you already run 0-trust than this has no value. This is attempting to provide some of the benefits of 0-trust. Geo blocking is another simple FW mitigation that can be done and is dead simple given the available and free access to cidr's by country.
Big goal is shrink 2**32 for possible legitimate ipv4 access.
- Ideally, limit access to our user by ip address if we knew them
- no false positives so error on allowing access
- We don't apply other rules such as OWASP Core Rule Set (CRS) to our users
- We block attacking ip at the firewall with an ipset called blacklist24hr that will remove them automatically at expiration of good behavior.
- We use nginx + modsecurity 3 to determine what ip's our users have
- We use nginx + modsecurity 3 to determine what ip's to add to the blacklist24hr
Code:
-A Input -m set --match-set blacklist24hr src -j DROPThe rules then become this once they authenticate:
Code:
SecRule RESPONSE_HEADERS:/Set-Cookie/ "(ZM_AUTH_TOKEN|ZM_TRUST_TOKEN|JSESSIONID)" \ "id:1001,phase:3,nolog,pass,exec:/path/to/add_ip_to_whitelist.sh %{REMOTE_ADDR}" Code:
SecRule REMOTE_ADDR "@ipMatchFromFile /path/to/whitelist_ips.txt" \ "id:1000,phase:1,nolog,pass,ctl:ruleEngine=Off" Code:
SecRule REQUEST_HEADERS:User-Agent "(python|wget|curl)" \ "id:12345,phase:2,t:block,log,deny,status:403,\ msg:'Blocked User-Agent: %{REQUEST_HEADERS.User-Agent}', \ chain, \ setenv:ip.blocked=1, \ exec:/usr/bin/ipset add blacklist24hr %{REMOTE_ADDR}" Code:
SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_BODY "(mboximport|wp-login)" \ "id:12347,phase:2,t:block,log,deny,status:403,\ msg:'Blocked request: %{MATCHED_VAR}', \ chain, \ setenv:ip.blocked=1, \ exec:/usr/bin/ipset add blacklist24hr %{REMOTE_ADDR}" I started looking at some cookies but don't have a very good handle on what would constitute a valid authenticated user. I have debugging turned on with modsecurity so that will show me the response headers but am more at the how could this work phase and what would be the best way to identify a valid user. I am also a little worried at how not to kill performance with the check for valid ip address and the best way to dynamic add/remove them which could be the killer reason not to try it.
I don't have any solution yet for pop/imap/submission so my "hammer" may not be capable enough. Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
Thoughts, ideas, concerns?
Jim
Statistics: Posted by JDunphy — Sat Apr 29, 2023 5:02 pm