Basic Copying, Printing, and Scanning Solving Problems - 403 Forbidden
Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access...
36
Fighting bad guys with an IPS from scratch
Transcript of Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access...
Fighting bad guys with
an IPS from scratch
Daniel Conde Rodríguez BS Computer Engineer – PCAE - LFCS
Webhosting Service Operations Team Coordinator
Acens (Telefónica)
@daconde2
www.linkedin.com/in/daniconde
WHO ARE BAD GUYS?
WHO ARE BAD GUYS? Dimitry (Moskva)
Script Malware
Plugin Wordpress, App Mobile, FIFA 2018
Webservers, Mobiles, PC, IoT
Internet
Target
In common IP of the attacker
Script Malware
Plugin Wordpress, App Mobile, FIFA 2018
Webservers, Mobiles, PC, IoT
Internet
Target
TARGETS
VPS, SERVERS, WEBSITES,
CLOUD SERVICES…
A FW IS NOT ENOUGH
Lets’s fight bad guys! How?
Defense, defense, defense with
overall security solutions.
+ IPS (Intrusion Prevention System)
+ Opensource tools
+ Several defense layers
An intrusion detection system (IDS) is a device or
software application that monitors a network or
systems for malicious activity or policy violations
Events collected centrally using a security
information and event management (SIEM) system
Systems with response capabilities are typically
referred to as an intrusion prevention system (IPS)
TRY TO BLOCK ATTACKS
XSS, CSRF, CRAWLERS,
BOTNETS, VULNERABILITY
SCANNERS/PLUGINS, SQLi,
COOKIE STEALING…
LOGS
203.0.113.1 - - [20/Jun/2018:01:03:45 +0200]
"GET api/specific_prices/?display=full&filter%5Bid_product%5D=%5B1344%5D”
INITIAL SCENARIO
Botnet performing a WPSCAN
BOTNET
203.0.113.1
BOTNET
203.0.113.2
BOTNET
203.0.113.3
TARGET
98.51.100.1
REQUEST FLOW
BOTNET
SERVER
HTTP REQUEST
TOOLS
SNORT https://www.snort.org
Alternatives: bro, suricata, etc..
IPSET http://ipset.netfilter.org/
IPTABLES https://netfilter.org/
WAF (modsecurity + owasp + comodo)
https://www.modsecurity.org/
https://www.owasp.org/index.php/
https://waf.comodo.com/
GEOIP https://www.maxmind.com/es/geoip2-databases
SCRIPTS (bash, python, perl, ruby, etc)
ELK STACK https://www.elastic.co/elk-stack
IPTABLES
REQUEST FLOW
BOTNET
SERVER
HTTP REQUEST
SNORT
- Snort is an open-source, free and lightweight NIDS
to detect emerging threats
- Linux / Windows
- Thousand or rules updated by community
- Snort vs Suricata vs Bro
SNORT configuration
Pulledpork
OinkMaster
Snorby
Base
ELK
Helper scripts that will automatically
download the latest rules for you
GUI for rules and vulnerabilities
./pulledpork.pl -o /usr/local/etc/snort/rules/ -O
1234520334234 -u
http://www.snort.org/reg-rules/snortrules-snapshot-
2973.tar.gz
SNORT configuration
HW
SNORT
BOTNET
SERVER
HTTP REQUEST
HTTP REQUEST
SNORT
HTTP REQUEST
(PORT MIRROR)
IPS
IPSET
- IP sets are a framework inside the Linux kernel (ipset utility)
- Mass blocking IP addresses, networks, (TCP/UDP) port numbers, MAC …
+300.000 IP / Ranges blocked
- IPSET Solves IPTABLES limitations
High number of rules: slow vs FAST
Linear evaluation vs SIMPLE EVALUATION
Change rules: slow/inefficient vs SIMPLE STORAGE METHOD
- Lighting set matching and blocking speed
ipset create blacklist hash:net hashsize 4096 maxelem 40960
ipset create whitelist hash:net hashsize 4096 maxelem 40960
ipset destroy blacklist
ipset add blacklist 203.0.113.1
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 match-set whitelist src
LOG_BLACKLIST tcp -- 0.0.0.0/0 0.0.0.0/0 match-set blacklist src
Chain LOG_BLACKLIST (1 references)
IPSET Commands
IPSET SHOW LIST
ipset list blacklist
Name: blacklist
Type: hash:net
Header: family inet hashsize 262144 maxelem 600000 timeout
36000
Size in memory: 211388
References: 1
Members:
203.0.113.1 timeout 3478
HW
IPSET
BOTNET
IPSET
HTTP REQUEST
HTTP REQUEST
SNORT
HTTP REQUEST
(PORT MIRROR)
IPS
IPTABLES
iptables -N LOG_BLACKLIST
iptables -I LOG_BLACKLIST 1 -m limit --limit 30/hour --limit-burst 30 -j LOG --log-prefix "IPBlacklisted: " --log-
level 4
iptables -A LOG_BLACKLIST -j DROP
Chain LOG_BLACKLIST (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 120 LOG flags 0 level 4 prefix
`IPTables-Dropped: ‘
DROP all -- 0.0.0.0/0 0.0.0.0/0
SCRIPTS > LOGS (var/log/iptables.log)
Oct 7 10:00:00 server kernel: IPBlacklisted: IN=XXX OUT= MAC=xx:xx:xx
SRC= 203.0.113.1 DST=OUR_SERVER LEN=XX TOS=0x00 PREC=0x00 TTL=XX
ID=XXXX DF PROTO=TCP SPT=XXX DPT=80
HW
IPTABLES
BOTNET
IPSET
IPTABLES
HTTP REQUEST
HTTP REQUEST
SNORT
HTTP REQUEST
(PORT MIRROR)
IPS
MODSECURITY WAF
Modsecurity is a web application firewall working in Layer 7.
- Covers Most critical security risks to web applications
- No code modification required
- Easy to configure
- Flexible Custom rules (OWASP, COMODO,ATOMIC)
MODSECURITY LOGS --9650b61c-A--
[20/Jun/2018:21:07:36 +0200] Wyql@LAcZ84ALHn77WUAAAAr 203.0.113.1 14250 98.51.100.1 80
--9650b61c-B--
GET /app/wordpress/wp-config.php HTTP/1.1
Host: www.myserver.com
Connection: keep-alive
Accept: image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)
Version/11.0 Mobile/15E148 Safari/604.1
--9650b61c-F--
HTTP/1.1 403 Forbidden
--9650b61c-H--
Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE.
[file "/apache/modsecurity_rules/country_block_geoip.conf"] [line "2"]
[msg "IP 203.0.113.1 block Country"]
Action: Intercepted (phase 1)
Producer: ModSecurity for Apache
Server: Apache
Engine-Mode: "ENABLED"
1 RULE
2 BLOCKING CONDITIONS
(WPSCAN+GEOIP)
TAGGED ATTACK
EXEC() ACTION MODSEC
SCRIPT BLOCKS IP IN IPSET
HW
WAF
BOTNET
IPSET
IPTABLES
WAF
GEOIP
HTTP REQUEST
HTTP REQUEST
HTTP REQUEST
(PORT MIRROR) IPS
SNORT BLOCK IP/RANGE/HOST
SCRIPTS
MODSECURITY LOGS Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE.
[file "/apache/modsecurity_rules/country_block_geoip.conf"]
[msg "IP 203.0.113.1 block Country "]
TAGGED ATTACK
EXEC() ACTION MODSEC
SCRIPT BLOCKS IP IN IPSET
#!/usr/bin/lua
--ipaddress = m.getvar("REMOTE_ADDR", "none");
function main()
local remote_ip = m.getvar("REMOTE_ADDR");
local handle = io.popen("ipset add blacklist remote_ip")
file = io.open('/tmp/lua_output.txt','w')
file:write(remote_ip)
file:close()
m.log(1, "LUA block IP exec!");
end
MODSECURITY RULE
SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat
SecRule URI "wp-config.php" “chain,id:11111,initcol:ip=%{REMOTE_ADDR},phase:1,
exec:/path/to/your/script,deny,status:403,msg:'IP %{REMOTE_ADDR} block Country'"
SecRule REMOTE_ADDR "@geoLookup" "chain, SecRule GEO:COUNTRY_CODE "@pm SN"
HW
SCRIPTS
BOTNET
IPSET
IPTABLES
WAF
GEOIP
HTTP REQUEST
HTTP REQUEST
HTTP REQUEST
(PORT MIRROR) IPS
LOGS
SCRIPTS
SNORT BLOCK IP/RANGE/HOST
ELK
"ELK" is the acronym for three open source projects:
Elasticsearch is a search and analytics engine.
Logstash is a server-side data processing pipeline that ingests
data from multiple sources simultaneously, transforms it,
and then sends it to a "stash" like Elasticsearch.
Kibana lets users visualize data with charts and graphs in Elasticsearch
ELK
ELK
SNORT TOP ATTACKS 1 DAY
87128 SYN Port Scan
34685 BitTorrent Meta-Info Retrieving
29371 Wordpress wp-login.php Login Attempt
27273 Microsoft Windows RDP Server
17086 Mercury Mail IMAP Command Buffer Overflow
15310 Password Brute Force
12440 Windows SMB Remote Code Execution Vulnerability
7693 Possible HTTP DoS Attack with Invalid HTML Page Access
7460 SQL Injection - Exploit II
7219 Exim Buffer Overflow (CVE-2018-6789)
6999 Drupal Remote Code Execution (CVE-2018-7600)
6866 Monero Mining Possible ADB.Miner Worm Activity Detected
HW
IPS
BOTNET
IPSET
IPTABLES
WAF
GEOIP
HTTP REQUEST
HTTP REQUEST
HTTP REQUEST
(PORT MIRROR) IPS
LOGS
ELK SCRIPTS
SNORT BLOCK IP/RANGE/HOST
PARSED DATA
INITIAL SCENARIO
Botnet performing a WPSCAN
BOTNET
203.0.113.1
BOTNET
203.0.113.2
BOTNET
203.0.113.3
TARGET
98.51.100.1
GOOD LUCK DIMITRY !!! I’M BEHIND 7 PROXIES AND 1 IPS
Fighting bad guys with an IPS from scratch
Daniel Conde Rodriguez
EuskalHack Security Congress III 2018
THANK YOU !!!
