Jump to content

Fail2Ban Filters for Vulnerability scanners


Nao

Recommended Posts

Heya, I'm a full stack developer on a super small team (Literally me and another developer) and while debugging something I was looking through our apache logs and found a lot of requests scanning for vulnerabilities, either looking for credentials or admin panels, even IOT Malware. I was wondering if I should start adding common vulnerability scanning requests to a fail2ban filter or if there was a better way to handle that sort of stuff.

Link to comment
Share on other sites

Hey!

Is there a specific reason you wanna filter them? If you want to filter all these garbage requests you would need something more powerful than fail2ban which would probably need more resources than just ignoring them. I would put my focus on stuff that actually impacts the security of your environment like brute force attacks and that sort of stuff.

 

Link to comment
Share on other sites

2 minutes ago, Fry said:

Hey!

Is there a specific reason you wanna filter them? If you want to filter all these garbage requests you would need something more powerful than fail2ban which would probably need more resources than just ignoring them. I would put my focus on stuff that actually impacts the security of your environment like brute force attacks and that sort of stuff.

 

Feels like a good idea to block scanners and people attempting to exploit our web servers

Edited by Nao
Link to comment
Share on other sites

Well, its just my opinion and i would love to hear from others about it but i don't think its really possible to block all of them (just look at the mess that is Microsoft's attempt to mitigate the latest unpatched Exchange vuln with a filter rule). But if you want to try it, you would need a WAF like ModSecurity, it can block attack patterns - but it needs a lot of fine tuning. And still you wouldn't block many of the things that you described. And again, i wouldn't try. But maybe there are other opinions on that 🙂

Link to comment
Share on other sites

So fail2ban is great for stopping SSH bruteforcing attempts and some basic web scanning.  It's fairly safe in terms of deploying and doesn't require a lot of customization to get show it's value.  

Something like a WAF is a good second step.

Link to comment
Share on other sites

29 minutes ago, Nao said:

Heya, I'm a full stack developer on a super small team (Literally me and another developer) and while debugging something I was looking through our apache logs and found a lot of requests scanning for vulnerabilities, either looking for credentials or admin panels, even IOT Malware. I was wondering if I should start adding common vulnerability scanning requests to a fail2ban filter or if there was a better way to handle that sort of stuff.

An IPS at your edge could stop most of what you're seeing before it gets to Apache. Fail2Ban or OSSEC can help, but only once it gets logged on your hosts.

Link to comment
Share on other sites

GreyNoise offers an API which allows you check IP Addresses against a list of known scanners, but the free version has a rate limit. 

Link to comment
Share on other sites

1 hour ago, luppiter said:

You could check out Crowdsec (https://www.crowdsec.net/) as an alternative to Fail2Ban, In my opinion it has better defaults out of the box and more already built use cases, like WebServer use cases, etc. 

I can vouch for CrowdSec. Been using their stuff for a while now and I am not disappointed.

Link to comment
Share on other sites

Goes without saying, make sure your passwords are good, your admin panels are secure / restricted, and you've got MFA if available.

I'd start with simple WAF, modsecurity will help filter out basic malicious stuff but might need some tuning for your use case.

Crowdsec can help remove the noise of known bad IP addresses.

You could limit requests to acceptable user agent strings (loads of stuff sticks out quickly), eg https://geekflare.com/block-unwanted-requests/

If you just want to offload the overhead of handling those requests, use a CDN like Cloudflare.  They also have captcha and WAF features, and some other _very_ premium options for defending against sophisticated / persistent threats if you have a sensitive workload and lots of money handy 🙂

+1 luppiter

+1 MalwareTech

15 hours ago, luppiter said:

 

You could check out Crowdsec (https://www.crowdsec.net/) as an alternative to Fail2Ban, In my opinion it has better defaults out of the box and more already built use cases, like WebServer use cases, etc. 

15 hours ago, MalwareTech said:

GreyNoise offers an API which allows you check IP Addresses against a list of known scanners, but the free version has a rate limit. 

Love the idea of GreyNoise - the cap was 500/day in 2017... I can't find recent data, it may have increased, they are super generous 🙂

Link to comment
Share on other sites

On 11/5/2022 at 7:34 PM, Sutol said:

I can vouch for CrowdSec. Been using their stuff for a while now and I am not disappointed.

Yes, I would suggest modsecurity or Crowdsec.  Also, if you are seeing some common signatures of scanners, you could use your Web servers native filters to block certain types of attacks too.

Something like in this tutorial for common attacks: https://perishablepress.com/eight-ways-to-blacklist-with-apaches-mod_rewrite/

Link to comment
Share on other sites

If you attempt to fingerprint your network with Shodan/Fofa/ZoomEye/Censys etc then use the requests to write rules to block/ip ban their crawlers you'll be just fine. 

Link to comment
Share on other sites

We try and block stuff before it gets to the web servers. AWS Cloudfront with their WAF can geoblock, block specific IPs, block various sql injection, xss and block stuff that meets your custom rules or you can buy 3rd party rulesets/blocksets that are updated for you.

If you're not in AWS you could use Cloudflare's protection stuff. I haven't used that in a while but depends on budget and the time you have to admin this stuff. I think Cloudflare offer some protection for free, some more for $20 per site per month and then it goes to 200 per site per month but that's for DNS options, not sure if the pricing levels also impact protection levels.

Link to comment
Share on other sites

On 11/5/2022 at 10:02 PM, Nao said:

Heya, I'm a full stack developer on a super small team (Literally me and another developer) and while debugging something I was looking through our apache logs and found a lot of requests scanning for vulnerabilities, either looking for credentials or admin panels, even IOT Malware. I was wondering if I should start adding common vulnerability scanning requests to a fail2ban filter or if there was a better way to handle that sort of stuff.

https://nbailey.ca/post/block-scanners/

Link to comment
Share on other sites

Definitely not the best solution but once I upon a time, we had a case where there was a lots of bots scanning for vulnerabilities in our client server. Later seeing the logs for the short run what we did was block the IP based on the country location like attack mostly coming from Russia. So we block Russian IPs since we don't have any business with Russia. Later we did with fail2ban, ModSecurity and implement Captcha

Edited by DrDisexon
correction
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...