firewall

Firewall may refer to: read more at WikiPedia

  • This are my mod_evasive settings:
     
    LoadModule evasive20_module     /usr/lib/apache2/mod_evasive20.so
    <IfModule mod_evasive20.c>
      DOSHashTableSize 3097
      DOSPageCount 5
      DOSSiteCount 100
      DOSPageInterval 2
      DOSSiteInterval 2
      DOSBlockingPeriod 600
      DOSEmailNotify This email address is being protected from spambots. You need JavaScript enabled to view it.
    </IfModule>

    And this is a small documentation I've forget to add in the previous article:

    • DOSHashTableSize: is the size of the table of URL and IP combined. The greater this setting, the more memory is required for the look up table, but also the faster the look ups are processed. This option will automatically round up to the nearest prime number.
    • DOSPageCount: is the number of same page requests from the same IP during an interval that will cause that IP to be added to the block list.
    • DOSSiteCount: is the number of pages requested of a site by the same IP during an interval which will cause the IP to be added to the block list.
    • DOSPageInterval:  Interval for the 'DOSPageCount' threshold in second intervals.
    • DOSSiteInterval:Interval for the 'DOSSiteCount' threshold in second intervals.
    • DOSBlockingPeriod: is the time the IP is blacked (in seconds
    • DOSEmailNotify: can be used to notify by sending an email everytime an IP is blocked
    • DOSSystemCommand: is the command used to execute a command when an IP is blocked. It can be used to add a block the user from a firewall or router.
    • DOSWhiteList: can be used to whitelist IPs such as 127.0.0.1
    So if anybody on my homepage request 5 times the same page in less than 2 seconds, it will get blacklisted.
    If anybody try to make more than 100 requests of my homepage in less than 2 seconds, it will get blacklisted.  
        
    In less than a week, the following Bots get blacklisted.

    84.80.211.6      Unknown Country
    62.226.126.102   Germany
    202.64.146.221   Chinese (Hong Kong)
    88.152.174.86    Unknown Country
    84.30.174.179    Dutch (Netherlands)
    84.154.17.72      GERMANY (DE) City: Muenchen Latitude: 48.15 Longitude: 11.5833
    70.225.166.33    United States
    202.63.102.211   Country: INDIA (IN) City: Hyderabad Latitude: 17.3833 Longitude: 78.4833
    69.148.83.2      UNITED STATES (US)
    195.38.6.181      Swedish (Sweden)
    81.242.199.145   BELGIUM (BE) City: Tournai Latitude: 50.6 Longitude: 3.3833
    217.120.138.11   NETHERLANDS (NL) City: Harlingen Latitude: 53.1833 Longitude: 5.4167
    195.145.98.50    GERMANY (DE) City: Heinsberg Latitude: 51.0333 Longitude: 8.15
    195.4.181.237    GERMANY (DE)
    80.166.87.34      DENMARK (DK)
    84.87.167.10      Dutch (Netherlands)
    81.208.83.238    ITALY (IT) City: Roma  Latitude: 41.9 Longitude: 12.4833
    66.249.66.199    UNITED STATES (US) City: Mountain View, CA Latitude: 37.402 Longitude: -122.078 GOOGLE
    84.137.16.79      GERMANY (DE)
    86.83.255.147    Dutch (Netherlands)
    66.249.65.99     UNITED STATES (US) City: Raleigh, NC Latitude: 35.8219 Longitude: -78.6588

     
     
  • ModSecurityTM is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.from http://www.modsecurity.org/
     
    Installing mod_security as DSO is easier, and the procedure is the same for both Apache branches. First unpack the distribution somewhere (anywhere will do, I copy the .c files in my home),

    # cd
    # wget http://www.modsecurity.org/download/mod_security-1.9.4.tar.gz
    # tar -zxfv mod_security-1.9.4.tar.gz
    # cd mod_security-1.9.4/apache2

    and compile the module with:

    apache1apache2
    /usr/local/psa/admin/bin/apxs  -cia ~/mod_security.c/usr/sbin/apxs2  -cia ~/mod_security.c

    First problem that may occur is the absence of
    • GccThe GNU Compiler Collection (usually shortened to GCC) is a set of programming language compilers produced by the GNU Project. It is free software distributed by the Free Software Foundation (FSF) under the GNU GPL, and is a key component of the GNU toolchain. It is the standard compiler for the open source Unix-like operating systems, and certain proprietary operating systems derived therefrom such as Mac OS X. [WikiPedia]
    • apache-dev: contains the apxs tool, and required pache heder to compile a module
    Both can be installed via YaST2...

    Tips: if your apxs2 is not located at /usr/bin/apxs2, you can search it by typing # find / -name apxs2

    # /usr/sbin/apxs2  -cia ~/mod_security.c
    /usr/share/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -march=i586 -mcpu=i686 -fmessage-length=0 -Wall -g -fPIC -Wall -fno-strict-aliasing -D_LARGEFILE_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -DAP_DEBUG -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -pthread -I/usr/include/apache2  -I/usr/include/apache2   -I/usr/include/apache2   -c -o /root/mod_security.lo /root/mod_security.c && touch /root/mod_security.slo
    /usr/share/apache2/build/libtool --silent --mode=link gcc -o /root/mod_security.la  -rpath /usr/lib/apache2 -module -avoid-version    /root/mod_security.lo
    /usr/share/apache2/build/instdso.sh SH_LIBTOOL='/usr/share/apache2/build/libtool' /root/mod_security.la /usr/lib/apache2
    /usr/share/apache2/build/libtool --mode=install cp /root/mod_security.la /usr/lib/apache2/
    cp /root/.libs/mod_security.so /usr/lib/apache2/mod_security.so
    cp /root/.libs/mod_security.lai /usr/lib/apache2/mod_security.la
    cp /root/.libs/mod_security.a /usr/lib/apache2/mod_security.a
    ranlib /usr/lib/apache2/mod_security.a
    chmod 644 /usr/lib/apache2/mod_security.a
    PATH="$PATH:/sbin" ldconfig -n /usr/lib/apache2
    ----------------------------------------------------------------------
    Libraries have been installed in:
       /usr/lib/apache2

    If you ever happen to want to link against installed libraries
    in a given directory, LIBDIR, you must either use libtool, and
    specify the full pathname of the library, or use the `-LLIBDIR'
    flag during linking and do at least one of the following:
       - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
         during execution
       - add LIBDIR to the `LD_RUN_PATH' environment variable
         during linking
       - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
       - have your system administrator add LIBDIR to `/etc/ld.so.conf'

    See any operating system documentation about shared libraries for
    more information, such as the ld(1) and ld.so(8) manual pages.
    ----------------------------------------------------------------------
    chmod 755 /usr/lib/apache2/mod_security.so
    apxs:Error: Config file /etc/apache2/httpd2-prefork.conf not found.

    Do not take care of the error in blue, since the resulting shared library (mod_security.so) has been automatically copied into /usr/lib/apache2

    Copy then the desired rule set (modsecurity-general.confor modsecurity-php.conf) into /etc/apache2

    Edit /etc/apache2/httpd.confand add the following lines at the end of file, it is also recommended to use the rules from www.GotRoot.com

    LoadModule security_module /usr/lib/apache2/mod_security.so
    SecFilterEngine On
    Include /etc/apache2/modsecurity_rules/modsecurity-general.conf
    Include /etc/apache2/modsecurity_rules/modsecurity-hardening.conf

    rules set found at http://www.gotroot.com/tiki-index.php?page=mod_security+rules
    Include /etc/apache2/modsecurity_rules/gotroot/apache2-rules.conf
    Include /etc/apache2/modsecurity_rules/gotroot/badips.conf
    Include /etc/apache2/modsecurity_rules/gotroot/blacklist2.conf
    Include /etc/apache2/modsecurity_rules/gotroot/blacklist.conf
    Include /etc/apache2/modsecurity_rules/gotroot/exclude.conf
    Include /etc/apache2/modsecurity_rules/gotroot/jitp.conf
    Include /etc/apache2/modsecurity_rules/gotroot/proxy.conf
    Include /etc/apache2/modsecurity_rules/gotroot/recons.conf
    Include /etc/apache2/modsecurity_rules/gotroot/rootkits.conf
    Include /etc/apache2/modsecurity_rules/gotroot/rules.conf
    Include /etc/apache2/modsecurity_rules/gotroot/useragents.conf

    BUT be carefull with modsecurity-hardening.conf
    1. This fle has to be tuned  for your server: logs files location, advanced rulesets, read carfeully and uncomment TODO if needed
    2. As default mod_security is in learning mode: it log and let the request  pass through (line SecFilterDefaultAction "pass, log"), recommended as soon as You have a good rulesets SecFilterDefaultAction "deny,log,status:500"
     Restart Apache2 by typing
    # /etc/init.d/apache2 restart

    Now it is time to check if mod_security is running       

    # tail -f /var/log/apache2/error_log
    [Mon Aug 21 18:43:38 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations
    [Mon Aug 21 19:01:56 2006] [notice] caught SIGTERM, shutting down
    [Mon Aug 21 19:01:57 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
    [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `h790663.serverkompetenz.net' does NOT match server name!?
    [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Mon Aug 21 19:01:57 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
    [Mon Aug 21 19:01:57 2006] [notice] mod_security/1.9.4 configured
    [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `h790663.serverkompetenz.net' does NOT match server name!?
    [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Mon Aug 21 19:01:57 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations

    links
  • CSF: A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. It easily replace APF and (Advanced policy firewall) and BFD (Brute Force Detection). It is also runing 28 basics but non obvious checks...

     CSF has a loot of functionnalities and has 2 nice features. It can block trafic from well known spammers network
    using the DShield Block List and the Spamhaus DROP List.
    It easily replace APF and (Advanced policy firewall) and BFD (Brute Force Detection).

    • Straight-forward SPI iptables firewall script
    • Daemon process that checks for login authentication failures for:
      • courier imap and pop3
      • ssh
      • non-ssl cpanel / whm / webmail (cPanel servers only)
      • pure-pftd
      • password protected web pages (htpasswd)
      • mod_security failures
    • POP3/IMAP login tracking to enforce logins per hour
    • SSH login notification
    • SU login notification
    • Excessive connection blocking
    • WHM configuration interface (cPanel servers only) or through Webmin
    • WHM iptables report log (cPanel servers only)
    • Easy upgrade between versions from within WHM (cPanel servers only) or through Webmin
    • Easy upgrade between versions from shell
    • A standard Webmin Module to configure csf is included in the distribution ready to install into Webmin - csfwebmin.tgz
    • Pre-configured to work on a cPanel server with all the standard cPanel ports open (cPanel servers only)
    • Auto-configures the SSH port if it's non-standard on installation
    • Block traffic on unused server IP addresses - helps reduce the risk to your server
    • Alert when end-user scripts sending excessive emails per hour - for identifying spamming scripts
    • Suspicious process reporting - reports potential exploits running on the server
    • Excessive user processes reporting
    • Excessive user process usage reporting and optional termination
    • Suspicious file reporting - reports potential exploit files in /tmp and similar directories
    • Directory and file watching - reports if a watched directory or a file changes
    • Block traffic on the DShield Block List and the Spamhaus DROP List
    • Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
    • Works with multiple ethernet devices
    • Server Security Check - Performs a basic security and settings check on the server (cPanel servers only)
    • Allow Dynamic DNS IP addresses - always allow your IP address even if it changes whenever you connect to the internet
    • Alert sent if server load average remains high for a specified length of time
    • mod_security log reporting (if installed)
    • Email relay tracking - tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
    • IDS (Intrusion Detection System) - the last line of detection alerts you to changes to system and application binaries

    Installation is straightforward:

    # wget http://www.configserver.com/free/csf.tgz
    # tar xvf csf.tgz
    # cd csf
    # ./install.sh

    Note all ports that are displayed after the installation, these are port running already on your system (UDP, TCP in and out)
    review the config file by editing:

    # vi /etc/csf/csf.conf

    and add at least the port written before (if you trsut your system before install ;-))
    Do not allow incoming connection or outgoing connections to mysql port (use ssh localforwarding), ftp (use scp)
    As default the rules are only working 5 minutes then get erased. This is the learnig mode, you cant break anything. Just continue reading the file csf.conf It contains a lot of interesting informations...
  • ModSecurityTM is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks. from http://www.modsecurity.org/

    You'll have to create a free account at https://bsn.breach.com to get the real link

    # cd
    # wget https://bsn.breach.com/downloads/t=5156aa8803d6f186cf38688be522a402/modsecurity-apache/modsecurity-apache_2.5.7.tar.gz
    # tar -zxfv modsecurity-apache_2.5.7.tar.gz
    # cd modsecurity-apache_2.5.7/apache2
    # ./configure
    # make

    Copy the library mod_security2.so to /usr/lib/apache2&160;

    # cp /root/modsecurity-apache_2.5.7/apache2/.libs/mod_security2.so /usr/lib/apache2/mod_security2.so&160;&160;

    Then copy all latest rules into apache2/conf.d folder

    # cp -r /root/modsecurity-apache_2.5.7/rules/etc/apache2/conf.d/

    Copy the minimal configuration file into apache2/conf.d folder

    # cp /root/modsecurity-apache_2.5.7/modsecurity.conf-minimal /etc/apache2/conf.d/modsecurity2.conf

    Add this line at the top of modsecurity2.conf

    LoadModule security2_module /usr/lib/apache2/mod_security2.so

    Restart apache2 by executing

    # rcapache2 restart

    Verify proper operations by looking at log files

    # tail -f /var/log/apache2/modsec_debug_log

    Attention this is my location for log files!

    Change

    • audit log location line 191
    • debug log location line 285

    in /etc/apache2/conf.d/rules/modsecurity_crs_10_config.conf

  • mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

    Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
    • Requesting the same page more than a few times per second
    • Making more than 50 concurrent requests on the same child per second
    • Making any requests while temporarily blacklisted (on a blocking list)

    This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it's a good idea to integrate this with your firewalls and routers for maximum protection.

    This module instantiates for each listener individually, and therefore has a built-in cleanup mechanism and scaling capabilities. Because of this per-child design, legitimate requests are never compromised (even from proxies and NAT addresses) but only scripted attacks. Even a user repeatedly clicking on 'reload' should not be affected unless they do it maliciously. mod_evasive is fully tweakable through the Apache configuration file, easy to incorporate into your web server, and easy to use. from  http://www.zdziarski.com/projects/mod_evasive/

    click read more for my HowTo

     
     Download the actual version of mod_evasive
    #  wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

    Unpack it
    #  tar xvzf mod_evasive_1.10.1.tar.gz/usr/local/src/mod_evasive

    Move to that directory
    #  cd /usr/local/src/mod_evasive
    And edit the file mod_evasive20.c, we will have to change the line 45 to
    define MAILER  "/bin/mail -t %s"

    We compile the module:
    Apache2Apache2-Prefork
    #  /usr/sbin/apxs2 -cia mod_evasive20.c#  /usr/sbin/apxs2-prefork -cia mod_evasive20.c

    Now we have to create a config file for mod_evasive:
    # touch /etc/apache2/conf.d/mod_evasive.conf
    and edit it
    # vi /etc/apache2/conf.d/mod_evasive.conf
    content of file

    Apache2Apache2-Prefork
    LoadModule evasive20_module     /usr/lib/apache2/mod_evasive20.so
    <IfModule mod_evasive20.c>
      DOSHashTableSize 3097
      DOSPageCount 5
      DOSSiteCount 100
      DOSPageInterval 2
      DOSSiteInterval 2
      DOSBlockingPeriod 600
      DOSEmailNotify This email address is being protected from spambots. You need JavaScript enabled to view it.
    </IfModule>
    LoadModule evasive20_module     /usr/lib/apache2-prefork/mod_evasive20.so
    <IfModule mod_evasive20.c>
      DOSHashTableSize 3097
      DOSPageCount 5
      DOSSiteCount 100
      DOSPageInterval 2
      DOSSiteInterval 2
      DOSBlockingPeriod 600
      DOSEmailNotify This email address is being protected from spambots. You need JavaScript enabled to view it.
    </IfModule>


    Restart Apache2 either  with:
    # rcapache2 stop
    # rcapache2 start
    or
    # /etc/init.d/apache2 restart

    Mod_evasive also deliver a sall perl script to try a DOS attack on your own webserver
    # cd /usr/src/mod_evasive
    # perl test.pl

    You should read http ok but after some seconds you will only get HTTP error 403 showing that mod_evasive is correctly running!