The Naughty StepMarek Isalski — @maznu
Faelix Limited — https://faelix.net/
ssh
SMTP IMAP POP
VOIP
Drupal
WordPress
That is one big pile of shit!
The Shit Pit The Naughty Step
PushDovirus cover traffic sending 2kbytes with POST / HTTP/1.0
and opening connection to TCP port 25
– every infosec professional ever
“Security is hard.”
WWW
Cat GIF Blog
make DJT root again!
WWW
Cat GIF Blog
make DJT root again!
apachelogs
fail2ban
Edge Router
WWW
Cat GIF Blog
make DJT root again!
apachelogs
fail2ban
slurry
AMQP
Edge Router
WWW
Cat GIF Blog
make DJT root again!
apachelogs
fail2ban
slurry
spreader
AMQP
Edge Router
WWW
Cat GIF Blog
apachelogs
fail2ban
slurry
spreader
AMQP
passwords are hard
Edge Router
WWW
Cat GIF Blog
apachelogs
fail2ban
slurry
spreader
AMQP
passwords are hard
WWW
Cat GIF Blog
apachelogs
fail2ban
slurry
spreader
AMQP
passwords are hard
Edge Router
Edge Router
fail2ban
slurry
spreader
AMQP
passwords are hard
Edge Router
WWW
Cat GIF Blog
fail2ban
slurry
spreader
AMQP
passwords are hard
Edge Router
fail2ban
slurry
spreader
AMQP
make DJT root again!
Edge Router
fail2ban
slurry
spreader
AMQP
make DJT root again!
DNS RBL
badips.comVIPs
Edge Router
fail2ban
slurry
spreader
AMQP
make DJT root again!
DNS RBL
badips.com
fastnetmon
VIPs
fastnetmon? NetMcr #2!
Edge Router
fail2ban
slurry
spreader
AMQP
make DJT root again!
DNS RBL
badips.com
fastnetmon
VIPs
snort? NetMcr #???
snort
Edge Router
fail2ban
slurry
spreader
AMQP
make DJT root again!
DNS RBL
badips.comVIPs
IPv6
fastnetmon
snort
bots = smartTypical day of traffic in the shitpit:
spike of traffic, bot realises, moves on.
bots = dumbLast 90 days, showing some ongoing, persistent attackers.
Show me the code!
Show me the code!
:-(
Show me the code!
:-)
soon?
Check these out!• fail2ban = tail log files, filter them, perform actions
• fastnetmon = am I being DDoSed? uses NetFlow/etc
• portsentry = am I being portscanned?
• mod_security + OWASP = Web Application Firewall
• snort = intrusion detection system
Check these out!• fail2ban = tail log files, filter them, perform actions
• fastnetmon = am I being DDoSed? uses NetFlow/etc
• portsentry = am I being portscanned?
• mod_security + OWASP = Web Application Firewall
• snort = intrusion detection system
• MikroTik MUM London 2016-11-14 (Monday!)
Q?E: [email protected]
T: @maznu