Announcement

Collapse
No announcement yet.

Is it illegal to DDoS your own server over the internet?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    Aah, rookie error. The relevant OWASP ruleset comes bundled with mod_security on Debian... obviously, that version is the right one!

    Wish I'd realised that sooner, instead of messing around installing the latest!

    Ho hum, I feel like I know my way around the whole thing a bit better now, at least

    This is a really good guide:
    https://www.linuxquestions.org/quest...ebian-7-35569/


    So anyway, now mod_security is working, but a little too well! I get a 503 error whenever I try to update a post...basically anything that requires a PHP script = 503.

    At first I enabled all of the base rules and all of the optional rules. Then I disabled the optional rules, and now I just have all of the core rules enabled, any ideas which ones I should disable?

    Or perhaps disabling them all and re-enabling rules one by one would be a better plan?

    Feathers
    samhobbs.co.uk

    Comment


      #17
      Way outside my knowledge, but I'd guess that in order to update/upload php files, you would have to stop your apache server first.
      Windows no longer obstructs my view.
      Using Kubuntu Linux since March 23, 2007.
      "It is a capital mistake to theorize before one has data." - Sherlock Holmes

      Comment


        #18
        Thanks Snowhog,

        I actually meant running a php script rather than uploading one... WordPress has loads of them for things like updating posts, comments, logging in etc.

        I googled for a while and it seems I can probably write a list of exceptions to allow each script. For now, I've just disabled all of the rules. When I get some time I'm going to add just the ones I need for now, starting with the DoS rules because I don't think those shouldn't clash with WordPress too much (famous last words!).

        Feathers
        samhobbs.co.uk

        Comment


          #19
          OK: I've installed mod_security and configured it to use just the one rule from the OWASP ruleset:

          Code:
          # modsecurity_crs_11_dos_protection.conf
          #
          # Anti-Automation rule set for detecting Denial of Service Attacks. 
          #
          
          #
          # Enforce an existing IP address block and log only 1-time/minute
          # We don't want to get flooded by alerts during an attack or scan so
          # we are only triggering an alert once/minute.  You can adjust how often
          # you want to receive status alerts by changing the expirevar setting below.
          #
          SecRule IP:DOS_BLOCK "@eq 1" "chain,phase:1,id:'981044',drop,msg:'Denial of Service (DoS) Attack Identified from %{remote_addr} (%{tx.dos_block_counter} hits since last alert)',setvar:ip.dos_block_counter=+1"
                  SecRule &IP:DOS_BLOCK_FLAG "@eq 0" "setvar:ip.dos_block_flag=1,expirevar:ip.dos_block_flag=60,setvar:tx.dos_block_counter=%{ip.dos_block_counter},setvar:ip.dos_block_counter=0"
          
          #
          # Block and track # of requests but don't log
          SecRule IP:DOS_BLOCK "@eq 1" "phase:1,id:'981045',t:none,drop,nolog,setvar:ip.dos_block_counter=+1"
          
          #
          # skipAfter Check
          # There are different scenarios where we don't want to do checks -
          # 1. If the current IP address has already been blocked due to high requests
          # In this case, we skip doing the request counts.
          #
          SecRule IP:DOS_BLOCK "@eq 1" "phase:5,id:'981046',t:none,nolog,pass,skipAfter:END_DOS_PROTECTION_CHECKS"
          
          #
          # DOS Counter
          # Count the number of requests to non-static resoures
          # 
          SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$" "phase:5,id:'981047',t:none,nolog,pass,setvar:ip.dos_counter=+1"
          
          #
          # Check DOS Counter
          # If the request count is greater than or equal to user settings,
          # we then set the burst counter
          # 
          SecRule IP:DOS_COUNTER "@gt %{tx.dos_counter_threshold}" "phase:5,id:'981048',t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter"
          
          #
          # Check DOS Burst Counter and set Block
          # Check the burst counter - if greater than or equal to 2, then we set the IP
          # block variable for 5 mins and issue an alert.
          #
          SecRule IP:DOS_BURST_COUNTER "@ge 2" "phase:5,id:'981049',t:none,log,pass,msg:'Potential Denial of Service (DoS) Attack from %{remote_addr} - # of Request Bursts: %{ip.dos_burst_counter}',setvar:ip.dos_block=1,expirevar:ip.dos_block=%{tx.dos_block_timeout}"
          
          SecMarker END_DOS_PROTECTION_CHECKS
          There's another one for slow DoS that I might try later, I think that one is for the type of attacks that GreyGeek was talking about where the client starts making a request and then stops after the first bit and leaves the server waiting.

          For now, I'd like a simple way of testing this one, which I think just limits the rate of requests.

          I was thinking of writing a script that would do it, but I'm not sure it would work... for example, if I make loads of requests with wget/curl, I don't think I'd be able to make more than one request per second, since I think the command wouldn't let you make a second request until the first is complete. Does that make sense, or am I barking up the wrong tree?

          I also came across the Apache Benchmark tool, but I think that would do a similar thing (wait until a whole page has downloaded before trying again).

          http://httpd.apache.org/docs/2.2/programs/ab.html

          Any ideas?
          samhobbs.co.uk

          Comment


            #20
            The saga continues...

            Someone tried to hack my server last night and overwhelmed the MySql server again.

            Access log attached, filtered for the relevant IP address.

            Mod_security caught some things, but there are no messages from the DoS rule:

            Code:
            admin@samhobbs /var/log/apache2/samhobbs $ cat error.log.1 | grep ModSecurity
            [Wed Feb 19 22:17:07 2014] [error] [client 190.39.147.52] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "www.samhobbs.co.uk"] [uri "/wordpress/xmlrpc.php"] [unique_id "UwUtYX8AAQEAAAKNRAcAAAAc"]
            [Wed Feb 19 22:17:07 2014] [error] [client 190.39.147.52] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "54"] [msg "Failed to parse request body."] [data "XML parser error: XML: Failed parsing document."] [severity "CRITICAL"] [hostname "www.samhobbs.co.uk"] [uri "/wordpress/xmlrpc.php"] [unique_id "UwUtYX8AAQEAAAKNRAcAAAAc"]
            [Thu Feb 20 00:49:47 2014] [error] [client 198.23.196.41] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "www.samhobbs.co.uk"] [uri "/wordpress/xmlrpc.php"] [unique_id "UwVRK38AAQEAAASGJDIAAAAJ"]
            [Thu Feb 20 00:49:47 2014] [error] [client 198.23.196.41] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "54"] [msg "Failed to parse request body."] [data "XML parser error: XML: Failed parsing document."] [severity "CRITICAL"] [hostname "www.samhobbs.co.uk"] [uri "/wordpress/xmlrpc.php"] [unique_id "UwVRK38AAQEAAASGJDIAAAAJ"]
            [Thu Feb 20 02:49:53 2014] [error] [client 198.143.144.139] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "www.samhobbs.co.uk"] [uri "/wordpress/xmlrpc.php"] [unique_id "UwVtUX8AAQEAAAWMm3wAAAAA"]
            [Thu Feb 20 02:49:53 2014] [error] [client 198.143.144.139] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "54"] [msg "Failed to parse request body."] [data "XML parser error: XML: Failed parsing document."] [severity "CRITICAL"] [hostname "www.samhobbs.co.uk"] [uri "/wordpress/xmlrpc.php"] [unique_id "UwVtUX8AAQEAAAWMm3wAAAAA"]
            [Thu Feb 20 02:55:15 2014] [error] [client 142.234.104.10] ModSecurity: XML parser error: XML: Failed parsing document. [hostname "www.samhobbs.co.uk"] [uri "/wordpress/xmlrpc.php"] [unique_id "UwVuk38AAQEAAAVTb6YAAAAa"]
            [Thu Feb 20 02:55:15 2014] [error] [client 142.234.104.10] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "54"] [msg "Failed to parse request body."] [data "XML parser error: XML: Failed parsing document."] [severity "CRITICAL"] [hostname "www.samhobbs.co.uk"] [uri "/wordpress/xmlrpc.php"] [unique_id "UwVuk38AAQEAAAVTb6YAAAAa"]
            [Thu Feb 20 03:34:03 2014] [error] [client 183.60.244.33] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "75"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 1, DA 1, HF 0, LF 1, SM , IQ 0, IQ 0, IH 0, IH 0"] [hostname "www.samhobbs.co.uk"] [uri "/jcms/m_5_5/m_5_5_3/import.jsp"] [unique_id "UwV3q38AAQEAAAc9zYIAAAAK"]
            [Thu Feb 20 03:34:04 2014] [error] [client 183.60.244.33] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "75"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 1, SM , IQ 0, IQ 0, IH 0, IH 0"] [hostname "www.samhobbs.co.uk"] [uri "/wp-content/themes/ThinkResponsive/includes/uploadify/upload_settings_image.php"] [unique_id "UwV3rH8AAQEAAAZyyrQAAAA@"]
            [Thu Feb 20 03:34:05 2014] [error] [client 183.60.244.33] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "75"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 1, HF 0, LF 1, SM , IQ 0, IQ 0, IH 0, IH 0"] [hostname "www.samhobbs.co.uk"] [uri "/flashcoms/common/server/php/file.php"] [unique_id "UwV3rX8AAQEAAAcgZrwAAAAB"]
            [Thu Feb 20 03:34:06 2014] [error] [client 183.60.244.33] ModSecurity: Access denied with code 44 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "75"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 1, HF 0, LF 1, SM , IQ 0, IQ 0, IH 0, IH 0"] [hostname "www.samhobbs.co.uk"] [uri "/ewebeditor/php/upload.php"] [unique_id "UwV3rn8AAQEAAAcgZr0AAAAB"]
            [Thu Feb 20 03:34:13 2014] [error] [client 183.60.244.33] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "54"] [msg "Failed to parse request body."] [data "Multipart parsing error: Multipart: Final boundary missing."] [severity "CRITICAL"] [hostname "www.samhobbs.co.uk"] [uri "/editor/editor/dialog/imageuser_mt_mt.php/index.php"] [unique_id "UwV3tX8AAQEAAAcyfAAAAAAF"]
            I don't understand why the DoS rule didn't kick in :/
            samhobbs.co.uk

            Comment


              #21
              * access log NOT attached, since I got locked out for trying to attach it!

              A general question about mod_security whitelisting...

              This link here:
              http://wpsecure.net/2012/01/using-mo...ith-wordpress/

              describes whitelisting for some rules so that mod_security works with wordpress without false positives. An example:

              Code:
              <LocationMatch "/wp-admin/post.php">
                SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 959006
                SecRuleRemoveById phpids-17
                SecRuleRemoveById phpids-20
                SecRuleRemoveById phpids-21
                SecRuleRemoveById phpids-30
                SecRuleRemoveById phpids-61
              </LocationMatch>
              I understand this bit: SecRuleRemoveById 950907 since it refers to the rule ID of a particular SecRule:

              Code:
              admin@samhobbs /usr/share/modsecurity-crs/base_rules $ for f in * ; do cat $f | grep 950907; done
                              "phase:2,rev:'2.2.5',capture,t:none,t:normalisePath,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
              ...but what does the phpid refer to? I've spent a long time searching for it, but can't find any results. Would really appreciate any help/hints!

              Feathers
              samhobbs.co.uk

              Comment


                #22
                Hi Sam,

                Hope you're well. I have been trying for the past 2 weeks, without success, to connect to your www.samhobbs.co.uk for one of your tutorials to configure my Raspberry Pi to boot from a USB flash drive for the /root files.

                Are you still battling with these attacks to your website? I am sorry to hear that if you are, and hope that you are able to resolve it soon.

                Is there another source to your tutorial?

                Regards,
                Chi

                Comment


                  #23
                  Originally posted by Chi-Man View Post
                  Hi Sam,

                  Hope you're well. I have been trying for the past 2 weeks, without success, to connect to your www.samhobbs.co.uk for one of your tutorials to configure my Raspberry Pi to boot from a USB flash drive for the /root files.

                  Are you still battling with these attacks to your website? I am sorry to hear that if you are, and hope that you are able to resolve it soon.

                  Is there another source to your tutorial?

                  Regards,
                  Chi
                  Hi Chi,

                  Unfortunately, my USB flash drive bricked:

                  https://www.kubuntuforums.net/showth...e-for-recovery

                  ... and I didn't have a recent backup.

                  I've just bought an Intel NUC and I'll be using it to host a new Drupal site, where I'll upload the old content.

                  I can send you a copy of the tutorial that I got from Google's cache later if you like (PM me your email?) or you might be able to find it there yourself.

                  Sorry about the downtime, it was a real kick in the teeth for me but it should work out better in the end with a speedier website etc!

                  Sam
                  samhobbs.co.uk

                  Comment


                    #24
                    Hi Sam,

                    I am sorry to hear that! I will have a look at the Google caches hopefully to locate your excellent tutorials. I don't think I have permission to send you a private message here, or not knowing how to do it. As you can see, I am a bit new to this after just joined the forum . :-)
                    Good luck with and looking forward to your new website hosting on your new toy( sorry, your new platform). :-) :-)

                    Cheers,
                    Chi

                    Comment


                      #25
                      Here you go:

                      http://webcache.googleusercontent.co...&hl=en&ct=clnk

                      Sam
                      samhobbs.co.uk

                      Comment


                        #26
                        Great, much appreciated. Very interesting threads regarding your bricked USB drive and the new Intel NUC. I will take you guys' advice to remember not to be tempted to use my Raspberry Pi for a production environment!

                        Catch you later.
                        Chi

                        Comment


                          #27
                          Either that or actually make proper backups! It's not so much the Pi's fault as the storage, you could easily put the root filesystem on a SSD or HDD instead and it wouldn't be prone to bricking like this.
                          samhobbs.co.uk

                          Comment


                            #28
                            I'm not convinced that a Raspberry Pi is the best choice for a production computer. 24/7/365 operation may not be a design goal for that little board.

                            Comment


                              #29
                              What makes you say that? If you plugged in an external SSD I can't see why it wouldn't be OK for a low traffic production server. It doesn't have much memory, but you don't have to look back in time very far to see when that was the norm!
                              samhobbs.co.uk

                              Comment


                                #30
                                I have absolutely no hard data to support my claim -- so yeah, it's little more than a feeling. Knowing that if my email were to go down means a basic inability to function, though, leads me to buy hardware that is designed for always-on full-time use. I am not (yet) comfortable with the notion of using a hobbyist board for that purpose.

                                /me in full crotchety old man mode, obviously

                                Comment

                                Working...
                                X