fighting bad guys with an ips from scratchhttp/1.1 403 forbidden --9650b61c-h-- message: access...
TRANSCRIPT
![Page 1: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/1.jpg)
Fighting bad guys with
an IPS from scratch
![Page 2: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/2.jpg)
Daniel Conde Rodríguez BS Computer Engineer – PCAE - LFCS
Webhosting Service Operations Team Coordinator
Acens (Telefónica)
@daconde2
www.linkedin.com/in/daniconde
![Page 3: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/3.jpg)
WHO ARE BAD GUYS?
![Page 4: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/4.jpg)
WHO ARE BAD GUYS? Dimitry (Moskva)
![Page 5: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/5.jpg)
Script Malware
Plugin Wordpress, App Mobile, FIFA 2018
Webservers, Mobiles, PC, IoT
Internet
Target
![Page 6: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/6.jpg)
In common IP of the attacker
Script Malware
Plugin Wordpress, App Mobile, FIFA 2018
Webservers, Mobiles, PC, IoT
Internet
Target
![Page 7: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/7.jpg)
TARGETS
VPS, SERVERS, WEBSITES,
CLOUD SERVICES…
A FW IS NOT ENOUGH
![Page 8: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/8.jpg)
Lets’s fight bad guys! How?
Defense, defense, defense with
overall security solutions.
![Page 9: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/9.jpg)
+ IPS (Intrusion Prevention System)
+ Opensource tools
+ Several defense layers
An intrusion detection system (IDS) is a device or
software application that monitors a network or
systems for malicious activity or policy violations
Events collected centrally using a security
information and event management (SIEM) system
Systems with response capabilities are typically
referred to as an intrusion prevention system (IPS)
![Page 10: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/10.jpg)
TRY TO BLOCK ATTACKS
XSS, CSRF, CRAWLERS,
BOTNETS, VULNERABILITY
SCANNERS/PLUGINS, SQLi,
COOKIE STEALING…
![Page 11: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/11.jpg)
LOGS
203.0.113.1 - - [20/Jun/2018:01:03:45 +0200]
"GET api/specific_prices/?display=full&filter%5Bid_product%5D=%5B1344%5D”
![Page 12: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/12.jpg)
INITIAL SCENARIO
Botnet performing a WPSCAN
BOTNET
203.0.113.1
BOTNET
203.0.113.2
BOTNET
203.0.113.3
TARGET
98.51.100.1
![Page 13: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/13.jpg)
REQUEST FLOW
BOTNET
SERVER
HTTP REQUEST
![Page 14: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/14.jpg)
TOOLS
SNORT https://www.snort.org
Alternatives: bro, suricata, etc..
IPSET http://ipset.netfilter.org/
IPTABLES https://netfilter.org/
WAF (modsecurity + owasp + comodo)
https://www.modsecurity.org/
https://www.owasp.org/index.php/
https://waf.comodo.com/
GEOIP https://www.maxmind.com/es/geoip2-databases
SCRIPTS (bash, python, perl, ruby, etc)
ELK STACK https://www.elastic.co/elk-stack
IPTABLES
![Page 15: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/15.jpg)
REQUEST FLOW
BOTNET
SERVER
HTTP REQUEST
![Page 16: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/16.jpg)
SNORT
- Snort is an open-source, free and lightweight NIDS
to detect emerging threats
- Linux / Windows
- Thousand or rules updated by community
- Snort vs Suricata vs Bro
![Page 17: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/17.jpg)
SNORT configuration
Pulledpork
OinkMaster
Snorby
Base
ELK
Helper scripts that will automatically
download the latest rules for you
GUI for rules and vulnerabilities
./pulledpork.pl -o /usr/local/etc/snort/rules/ -O
1234520334234 -u
http://www.snort.org/reg-rules/snortrules-snapshot-
2973.tar.gz
![Page 18: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/18.jpg)
SNORT configuration
![Page 19: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/19.jpg)
HW
SNORT
BOTNET
SERVER
HTTP REQUEST
HTTP REQUEST
SNORT
HTTP REQUEST
(PORT MIRROR)
IPS
![Page 20: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/20.jpg)
IPSET
- IP sets are a framework inside the Linux kernel (ipset utility)
- Mass blocking IP addresses, networks, (TCP/UDP) port numbers, MAC …
+300.000 IP / Ranges blocked
- IPSET Solves IPTABLES limitations
High number of rules: slow vs FAST
Linear evaluation vs SIMPLE EVALUATION
Change rules: slow/inefficient vs SIMPLE STORAGE METHOD
- Lighting set matching and blocking speed
![Page 21: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/21.jpg)
ipset create blacklist hash:net hashsize 4096 maxelem 40960
ipset create whitelist hash:net hashsize 4096 maxelem 40960
ipset destroy blacklist
ipset add blacklist 203.0.113.1
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 match-set whitelist src
LOG_BLACKLIST tcp -- 0.0.0.0/0 0.0.0.0/0 match-set blacklist src
Chain LOG_BLACKLIST (1 references)
IPSET Commands
![Page 22: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/22.jpg)
IPSET SHOW LIST
ipset list blacklist
Name: blacklist
Type: hash:net
Header: family inet hashsize 262144 maxelem 600000 timeout
36000
Size in memory: 211388
References: 1
Members:
203.0.113.1 timeout 3478
![Page 23: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/23.jpg)
HW
IPSET
BOTNET
IPSET
HTTP REQUEST
HTTP REQUEST
SNORT
HTTP REQUEST
(PORT MIRROR)
IPS
![Page 24: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/24.jpg)
IPTABLES
iptables -N LOG_BLACKLIST
iptables -I LOG_BLACKLIST 1 -m limit --limit 30/hour --limit-burst 30 -j LOG --log-prefix "IPBlacklisted: " --log-
level 4
iptables -A LOG_BLACKLIST -j DROP
Chain LOG_BLACKLIST (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 120 LOG flags 0 level 4 prefix
`IPTables-Dropped: ‘
DROP all -- 0.0.0.0/0 0.0.0.0/0
SCRIPTS > LOGS (var/log/iptables.log)
Oct 7 10:00:00 server kernel: IPBlacklisted: IN=XXX OUT= MAC=xx:xx:xx
SRC= 203.0.113.1 DST=OUR_SERVER LEN=XX TOS=0x00 PREC=0x00 TTL=XX
ID=XXXX DF PROTO=TCP SPT=XXX DPT=80
![Page 25: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/25.jpg)
HW
IPTABLES
BOTNET
IPSET
IPTABLES
HTTP REQUEST
HTTP REQUEST
SNORT
HTTP REQUEST
(PORT MIRROR)
IPS
![Page 26: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/26.jpg)
MODSECURITY WAF
Modsecurity is a web application firewall working in Layer 7.
- Covers Most critical security risks to web applications
- No code modification required
- Easy to configure
- Flexible Custom rules (OWASP, COMODO,ATOMIC)
![Page 27: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/27.jpg)
MODSECURITY LOGS --9650b61c-A--
[20/Jun/2018:21:07:36 +0200] Wyql@LAcZ84ALHn77WUAAAAr 203.0.113.1 14250 98.51.100.1 80
--9650b61c-B--
GET /app/wordpress/wp-config.php HTTP/1.1
Host: www.myserver.com
Connection: keep-alive
Accept: image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko)
Version/11.0 Mobile/15E148 Safari/604.1
--9650b61c-F--
HTTP/1.1 403 Forbidden
--9650b61c-H--
Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE.
[file "/apache/modsecurity_rules/country_block_geoip.conf"] [line "2"]
[msg "IP 203.0.113.1 block Country"]
Action: Intercepted (phase 1)
Producer: ModSecurity for Apache
Server: Apache
Engine-Mode: "ENABLED"
1 RULE
2 BLOCKING CONDITIONS
(WPSCAN+GEOIP)
TAGGED ATTACK
EXEC() ACTION MODSEC
SCRIPT BLOCKS IP IN IPSET
![Page 28: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/28.jpg)
HW
WAF
BOTNET
IPSET
IPTABLES
WAF
GEOIP
HTTP REQUEST
HTTP REQUEST
HTTP REQUEST
(PORT MIRROR) IPS
SNORT BLOCK IP/RANGE/HOST
![Page 29: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/29.jpg)
SCRIPTS
MODSECURITY LOGS Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE.
[file "/apache/modsecurity_rules/country_block_geoip.conf"]
[msg "IP 203.0.113.1 block Country "]
TAGGED ATTACK
EXEC() ACTION MODSEC
SCRIPT BLOCKS IP IN IPSET
#!/usr/bin/lua
--ipaddress = m.getvar("REMOTE_ADDR", "none");
function main()
local remote_ip = m.getvar("REMOTE_ADDR");
local handle = io.popen("ipset add blacklist remote_ip")
file = io.open('/tmp/lua_output.txt','w')
file:write(remote_ip)
file:close()
m.log(1, "LUA block IP exec!");
end
MODSECURITY RULE
SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat
SecRule URI "wp-config.php" “chain,id:11111,initcol:ip=%{REMOTE_ADDR},phase:1,
exec:/path/to/your/script,deny,status:403,msg:'IP %{REMOTE_ADDR} block Country'"
SecRule REMOTE_ADDR "@geoLookup" "chain, SecRule GEO:COUNTRY_CODE "@pm SN"
![Page 30: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/30.jpg)
HW
SCRIPTS
BOTNET
IPSET
IPTABLES
WAF
GEOIP
HTTP REQUEST
HTTP REQUEST
HTTP REQUEST
(PORT MIRROR) IPS
LOGS
SCRIPTS
SNORT BLOCK IP/RANGE/HOST
![Page 31: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/31.jpg)
ELK
"ELK" is the acronym for three open source projects:
Elasticsearch is a search and analytics engine.
Logstash is a server-side data processing pipeline that ingests
data from multiple sources simultaneously, transforms it,
and then sends it to a "stash" like Elasticsearch.
Kibana lets users visualize data with charts and graphs in Elasticsearch
![Page 32: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/32.jpg)
ELK
![Page 33: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/33.jpg)
ELK
SNORT TOP ATTACKS 1 DAY
87128 SYN Port Scan
34685 BitTorrent Meta-Info Retrieving
29371 Wordpress wp-login.php Login Attempt
27273 Microsoft Windows RDP Server
17086 Mercury Mail IMAP Command Buffer Overflow
15310 Password Brute Force
12440 Windows SMB Remote Code Execution Vulnerability
7693 Possible HTTP DoS Attack with Invalid HTML Page Access
7460 SQL Injection - Exploit II
7219 Exim Buffer Overflow (CVE-2018-6789)
6999 Drupal Remote Code Execution (CVE-2018-7600)
6866 Monero Mining Possible ADB.Miner Worm Activity Detected
![Page 34: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/34.jpg)
HW
IPS
BOTNET
IPSET
IPTABLES
WAF
GEOIP
HTTP REQUEST
HTTP REQUEST
HTTP REQUEST
(PORT MIRROR) IPS
LOGS
ELK SCRIPTS
SNORT BLOCK IP/RANGE/HOST
PARSED DATA
![Page 35: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/35.jpg)
INITIAL SCENARIO
Botnet performing a WPSCAN
BOTNET
203.0.113.1
BOTNET
203.0.113.2
BOTNET
203.0.113.3
TARGET
98.51.100.1
GOOD LUCK DIMITRY !!! I’M BEHIND 7 PROXIES AND 1 IPS
![Page 36: Fighting bad guys with an IPS from scratchHTTP/1.1 403 Forbidden --9650b61c-H-- Message: Access denied with code 403 (phase 1). Matched phrase “SN" at GEO:COUNTRY_CODE. ... 7693](https://reader035.vdocuments.site/reader035/viewer/2022062403/61150e877adbb07c10365531/html5/thumbnails/36.jpg)
Fighting bad guys with an IPS from scratch
Daniel Conde Rodriguez
EuskalHack Security Congress III 2018
THANK YOU !!!