Re: [Resin-interest] Firewall Question
On Wed, Jul 21, 2010 at 7:14 AM, Aaron Freemanaaron.free...@layerz.com wrote: Just wondering if anybody has ever worked through a scenario where you could automatically firewall off an IP address that requested a poisoned URL? There is an attacker continuously scanning all of our servers for a specific URL, but from several different IPs. It would be nice to be able to automatically firewall them off. If you're running a Resin instance behind Apache, you could also look at mod_security: http://www.modsecurity.org/ The open-source version is an Apache module with a rule engine (and a rule language) that might be useful to do the kind of thing you're looking for. The core rule sets are fairly substantial (they also deal with, amongst other things, SQL injection and XSS), but if all you want to do is fence off a single URL, you should be able to write a rule for that without too much effort. - Hari ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Firewall Question
I'd think there'd be a way you could do this programatically with a filter. Though you'd need some way to notify your firewall to block the offending IP, and perhaps you don't have an actual firewall running. Then again, you could have another filter that rejects requests from listed IPs that your first filter writes to. :) I know, it's not an automatic feature; I'm just thinking out loud that it probably wouldn't be very hard to implement something that would do the job. Rob On Jul 21, 2010, at 12:47 , Aaron Freeman wrote: Jon, Right, so far that's been our tact. This one particular attack is a bit annoying because it's inflating our logs. I was just curious if this was a capability within Resin. We wouldn't take the time to write a custom tag or anything like that to stop it. Aaron On 7/21/2010 10:27 AM, Jon Stevens wrote: Having run very very large porn sites for a number of years, I've seen all sorts of automated 'attacks' like that. If you don't have anything responding to those url's, then you don't have any problems. =) Anyway, why bother? Just ignore it. I'm sure you have better things to do with your time than play whack-a-mole. jon On Wed, Jul 21, 2010 at 7:14 AM, Aaron Freemanaaron.free...@layerz.com wrote: Just wondering if anybody has ever worked through a scenario where you could automatically firewall off an IP address that requested a poisoned URL? There is an attacker continuously scanning all of our servers for a specific URL, but from several different IPs. It would be nice to be able to automatically firewall them off. Has anybody done anything like that before? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Firewall Question
Many firewalls can only block 256 ip's at a time. It becomes an expensive process for them to do packet inspection at that layer. You also need to setup a system to figure out which ip's to block and then pass those to the firewall. In my experience, this was a failable system because as soon as you block an IP, you could be potentially blocking a LOT of ip's if you block the wrong NAT gateway. =) You don't want to lock out the wrong people. I built a system like this for my last company called the 'autocockblocker'... it looked for attempts at repeated login/registration attempts and would tell the firewall to IP block those people... we ended up having to pretty much turn it off cause of the NAT issue. Really though, there are large companies (aka: cisco... aka http://www.ironport.com/) that make products that do exactly what you are proposing. I don't see a reason to do this within an app container like resin. That said, the utility of these products is always questionable if you have vectors in your application that are open for attack and thus needs a product like this, you probably have bigger issues anyway. =) jon On Thu, Jul 22, 2010 at 11:59 AM, Rob Lockstone lockst...@mac.com wrote: I'd think there'd be a way you could do this programatically with a filter. Though you'd need some way to notify your firewall to block the offending IP, and perhaps you don't have an actual firewall running. Then again, you could have another filter that rejects requests from listed IPs that your first filter writes to. :) I know, it's not an automatic feature; I'm just thinking out loud that it probably wouldn't be very hard to implement something that would do the job. Rob On Jul 21, 2010, at 12:47 , Aaron Freeman wrote: Jon, Right, so far that's been our tact. This one particular attack is a bit annoying because it's inflating our logs. I was just curious if this was a capability within Resin. We wouldn't take the time to write a custom tag or anything like that to stop it. Aaron On 7/21/2010 10:27 AM, Jon Stevens wrote: Having run very very large porn sites for a number of years, I've seen all sorts of automated 'attacks' like that. If you don't have anything responding to those url's, then you don't have any problems. =) Anyway, why bother? Just ignore it. I'm sure you have better things to do with your time than play whack-a-mole. jon On Wed, Jul 21, 2010 at 7:14 AM, Aaron Freemanaaron.free...@layerz.com wrote: Just wondering if anybody has ever worked through a scenario where you could automatically firewall off an IP address that requested a poisoned URL? There is an attacker continuously scanning all of our servers for a specific URL, but from several different IPs. It would be nice to be able to automatically firewall them off. Has anybody done anything like that before? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
[Resin-interest] Firewall Question
Just wondering if anybody has ever worked through a scenario where you could automatically firewall off an IP address that requested a poisoned URL? There is an attacker continuously scanning all of our servers for a specific URL, but from several different IPs. It would be nice to be able to automatically firewall them off. Has anybody done anything like that before? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Firewall Question
Having run very very large porn sites for a number of years, I've seen all sorts of automated 'attacks' like that. If you don't have anything responding to those url's, then you don't have any problems. =) Anyway, why bother? Just ignore it. I'm sure you have better things to do with your time than play whack-a-mole. jon On Wed, Jul 21, 2010 at 7:14 AM, Aaron Freeman aaron.free...@layerz.com wrote: Just wondering if anybody has ever worked through a scenario where you could automatically firewall off an IP address that requested a poisoned URL? There is an attacker continuously scanning all of our servers for a specific URL, but from several different IPs. It would be nice to be able to automatically firewall them off. Has anybody done anything like that before? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Firewall Question
Jon, Right, so far that's been our tact. This one particular attack is a bit annoying because it's inflating our logs. I was just curious if this was a capability within Resin. We wouldn't take the time to write a custom tag or anything like that to stop it. Aaron On 7/21/2010 10:27 AM, Jon Stevens wrote: Having run very very large porn sites for a number of years, I've seen all sorts of automated 'attacks' like that. If you don't have anything responding to those url's, then you don't have any problems. =) Anyway, why bother? Just ignore it. I'm sure you have better things to do with your time than play whack-a-mole. jon On Wed, Jul 21, 2010 at 7:14 AM, Aaron Freemanaaron.free...@layerz.com wrote: Just wondering if anybody has ever worked through a scenario where you could automatically firewall off an IP address that requested a poisoned URL? There is an attacker continuously scanning all of our servers for a specific URL, but from several different IPs. It would be nice to be able to automatically firewall them off. Has anybody done anything like that before? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest
Re: [Resin-interest] Firewall Question
Disk space is cheap and your logs auto rotate. Hopefully you use a tool like 'grep' (aka: Splunk) to get the important bits (aka: stack traces) out of your logs. jon On Wed, Jul 21, 2010 at 12:47 PM, Aaron Freeman aaron.free...@layerz.com wrote: Jon, Right, so far that's been our tact. This one particular attack is a bit annoying because it's inflating our logs. I was just curious if this was a capability within Resin. We wouldn't take the time to write a custom tag or anything like that to stop it. Aaron On 7/21/2010 10:27 AM, Jon Stevens wrote: Having run very very large porn sites for a number of years, I've seen all sorts of automated 'attacks' like that. If you don't have anything responding to those url's, then you don't have any problems. =) Anyway, why bother? Just ignore it. I'm sure you have better things to do with your time than play whack-a-mole. jon On Wed, Jul 21, 2010 at 7:14 AM, Aaron Freemanaaron.free...@layerz.com wrote: Just wondering if anybody has ever worked through a scenario where you could automatically firewall off an IP address that requested a poisoned URL? There is an attacker continuously scanning all of our servers for a specific URL, but from several different IPs. It would be nice to be able to automatically firewall them off. Has anybody done anything like that before? Thanks, Aaron ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest ___ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest