On Wed, 13 Oct 2010 10:21:50 -0700 (PDT), Toby <[email protected]> wrote: > I'd like to get some input about if any of you use Active Response on > a public facing web server. If so, then do you tweak the rules, or use > the default settings? In particular, I have two concerns: > > 1. One malicious person or bot behind a NAT could make my web server > unavailable to everyone else behind the same NAT. > > 2. With IP spoofing, a DoS method could be to programatically attack > the web server while spoofing perhaps hundreds of thousands of IP > addresses. Since my web site is specific to my county, it would not be > difficult for an attacker to limit his spoofs to the IP ranges owned > by the two most prominent ISP's in the area.
I use active response and I have found it to be pretty effective. The rule that fires off most often is the "multiple 400 from same IP" rule. These are always requests for things like phpmyadmin. I also have ossec monitoring other security layers on the site, so sometimes ossec blocks something at the IP layer that has already been blocked at the application later. Also, one of my colleagues who does pen testing sometimes tests his tools on my site. The default ossec rules always block him and cause him to curse at me. :) Honestly, although IP spoofing is a possibility, in reality I have found it to not be a problem. Most responsible ISPs won't allow spoofed IPs to leave their network. -- [I] Immutable Security Information Security, Privacy and Personal Liberty http://www.immutablesecurity.com
