TLDR;
SS:FragWhare - Super Simple (fake?) Fire Wall (tweaked) -
Nginx blocked urls technical details -
On up-streaming address block requests -
A Simple hits/sec Algorythim (tweaked) -
On inode thrash & inode non-use -
On 0 inode use filesystems -
logd
quirks, log quirks, GH and Devember 2021 -
Update to OP points & current status -
Devember2021 + GitHub link -
I’m woundering if anyone (incl. LevelOneTechs) has anysort of automated network threat response setup between their web server (or other services) and router/firewall boxes.
I’m in the process of writing a custom threat response system on my (hosted) web server that can automatically escalate (and de-escalate) a threat response based on log file entries, and woundered what others might be doing.
I know there is stuff like PSAD, that could be used, its designed to do threat analysis and could probably be used to automate something. but I am specifically targeting URI intrution, so I am (initially) targeting HTTP 404 response logs.
I have really low traffic to the server ATM, there is nothing else on this yet, because I need to have enhance security protection and threat management before I build the service I got the hosting for. So even though sshd is also a target, it not a priority yet.
http://psad.disloops.com - has a piece on “better installation” of PSAD (specifically on a RPi), but it uses OFW as well as iptables, and I need the least amount of services running on this box (its only 1G), so I am happy using ip-rules directly instead (for rule generation at least).
Because I dont have access to the network firewall/router, once I start a threat response it becomes harder (towards impossible) to see if the threat is still there or has gone away.
the response levels go (something) like this:
- capture bogus URI intrusions, redirect to 4Gb ISO as a 200 respose @1Kb/s rate limited
- dynamically add “deny IP” to web server config (and reload service or config)
- add ip-rule to interface
at level 2) and 3) I want to drop responses, as opposed to send back responses, blackhole as it were. At level 2) I can still see what comming in on the interface, even when access via the server is blocked. But at level 3) I can no longer see it the IP is still try to target my server. On a LAN or internal network, I can call out to query something (router/firewall) and see if the threat traffic is still there, and/or still high volume
When I am done with this I hope to be using a GitHub repository to dynamically build a “location” level “/etc/nginx/block.conf” include file for Nginx, and have the level 2) and 3) threat response levels automatically de-escalate. Level 1) responses get “access.log” as well, in a seperate file, which allows IP volume and response time analysis to be able to assist escalation and de-escalation.
I’m using Nginx + thttpd + PHP + crontab to automate everything. (incl. dumping http://server.com/favicon.ico connections if there is no HTTP REFERER passed along)