From OWASP CRS (modsecurity) related docs (which I can find in the public domain) I can infer that brute force and DOS protection have been taken care of. However, I am not able to find specific details regarding the rules that prevent DOS. Currently, my server is experiencing brute force attacks of the below kind:
Same IP, Same Resource/Page At The Same Time
aa.bb.cc.dd 2021-04-27T07:01:37
aa.bb.cc.dd 2021-04-27T07:01:37
aa.bb.cc.dd 2021-04-27T07:01:37
Different IPs With Same Reverse DNS Host, Same Resource/Page At The Same Time. The first two octets of the IPs remain the same.
aa.bb.cc.dd 2021-04-27T07:01:37
aa.bb.ee.ff 2021-04-27T07:01:37
aa.bb.gg.hh 2021-04-27T07:01:37
Can someone experienced with OWASP CRS let me know if such attacks can be prevented with the CRS?
Update:
I am using apache 2.4. Regarding CRS, I am using version 3.3.0
You didn't write what HTTP server you use - that's important.
I think there are more solutions for your first item. CRS has the optional DOS protection, see this section of crs.conf. This can be help you in other cases too, eg. the resources are different.
Most HTTP server provides other solutions too, eg. if you use Apache, check the mod_evasive (most distribution provides this as package). I do not know about similar solution for Nginx.
Your second issue is rather a DDOS, because the IP addresses are different.
It's a bit out of scope, but you can check the fail2ban (also supported by most distro) - may be that can help you too.
Related
I'm learning networking and internet security, and I'm trying a perform a Denial-of-Service attack on a VM(ip-address:192.168.100.1) who act as a gateway.
Following some tutorials,I'm using hping3 to perform this with hping3 -S --flood -V -p 80 192.168.100.1 as command.
Still I'm able to ping to the gateway from another host.
I've tried to add another attacker,and open more terminals,still no success, the one thing I have obtained is an increment of the round-trip-time ( about 90ms).
Are the attackers too few to perform this?
DOS may be illegal (in many countries). I write this just for educational purpose
Yes you will need more attacker instances. It is highly unlikely that the attacker has a single machine with a big enough Internet connection to generate enough traffic on its own. One way to generate that much traffic is through a botnet.
You may refer to the following link as the 1st step:
https://blog.cloudflare.com/65gbps-ddos-no-problem/
I have been trying to set the subdomain in localtunnel, but it keeps throwing me different subdomains.
Port number is 4000 and it's running.
The command which I used :
lt --port 4000 --subdomain xyz (I changed subdomain name for the security reason).
Where am I doing wrong?
I know it is a very late answer, but for the help of others searchers who get to this link, and are not able to find a valid answer, for those users I am writing this answer
The command which I used : lt --port 4000 --subdomain xyz (I changed
subdomain name for the security reason).
The first thing is that the command is ok but before local tunnel assigns you a subdomain it must be available first.
Now you may be thinking that I am using a private very unique domain name which should have available, yes you are right but remember local tunnel keeps the record of subdomains provided by you and builds his private database which contains enough pool for random subdomain assigning feature.
Which now clears that after one, two or even more (non-consecutive) attempts it is possible that your domain assigned to someone else so that for that period you can obviously not use that domain, however whenever that domain will be freed, you will be assigned the requested domain for sure.
I'm not familiar enough with localtunnel to tell you what's wrong there, but I can tell you how to accomplish your same goal using Telebit:
(p.s. Did you figure this out? If so, I'd love to hear how you did it and I'm sure others would too)
Install
curl https://get.telebit.io | bash
You can also install via npm... but that isn't the preferred install method at this time. There may be some caveats.
The random domain you get is attached to your account (hence the need for email) and it's encrypted end-to-end with Greenlock via Let's Encrypt.
Configure
./telebit http 4000 xyz
The general format is
./telebit <protocol> <port> [subdomain]
It's not just https, you can use it to tunnel anything over tls/ssl (plain tcp, ssh, openvpn, etc).
Custom domains are not yet a generally available feature, but they're on the horizon.
Both my device and the host through which i'm trying to access are in the same subnet.
Scenario:
I have a switch and a server in same subnet. I have to access switch using ipv6 link local address from the browser in my server.
Can anyone pls tell me the exact syntax??
To give an answer specific to browsers: for most common browsers, you can't.
There is a proposed standard format, as Sander Steffann pointed out, for specifying the interface for a URL, which is in RFC 6874.
The developers of both Chromium and Firefox, and seemingly most other browsers, have decided to intentionally not support this. Firefox has actually had ipv6 link-local support intentionally removed. Bug reports are closed as WONTFIX. See Chromium bug 70762, and Firefox bug 700999. Furthermore, WHATWG also rejected implementation of RFC 6874. This has been the case for years, so I doubt anything short of a patch or fork will result in link-local addresses working. It appears that a number of people are quite set on not allowing link-local address support.
One workaround, however, is to use SSH forwarding. For example,
ssh -L '8080:[FE80::XXXX:XXXX:XXXX:XXXX%wlp4s0]:80' localhost
A link local address can be valid on multiple links. If for example your system has both Ethernet and Wi-Fi those might be connected to different networks. Therefore you need to add a scope identifier to a link-local address. The syntax for that is to add % and the scope to the IPv6 address. The score is usually the name of the interface, for example eth0 or ens192 on Linux, or 13 on Windows. The value is different on each system, so you'll need to check what to use in your case.
That gives you for example fe80::1111:2222%eth0. The problem is that % has special meaning in URLs, so you need to escape it. The escape for % is %25.
The correct URL syntax is http://[fe80::1111:2222%25eth0]/. The official standard for this is RFC 6874. Unfortunately many browsers don't follow the standard, so it might not work for you. In that case please file a bug report. There need to be more people complaining to get this fixed.
For those who have no sshd server set up on their laptop and find it would be troublesome to set up one --- try finding port-forward scripts.
Here is a usable python script, without external dependencies.
https://gist.github.com/NeverBehave/357ca63941d4af4ee3f54920be3d1f3c
Setup:
I have client C connecting to server S
Both C and S are on the same machine
In C the server address is hardcoded to 127.0.0.1. Likewise, in S the client address is hardcoded to 127.0.0.1
Problem:
I want to be able to sniff the traffic between the client and the server.
Due to the configuration, I cannot move the client nor the server to different locations (the address are hardcoded)
Installing the loopback interface and using tools like Wireshark+WinPcap doesn't lead anywhere (was actually already known but was worth a try)
RawCap, suggested in another topic, doesn't work. IP 127.0.0.1 is listed, but does not record any traffic.
Using rinetd to route the traffic elsewhere, as suggested here doesn't work (cannot bind on 127.0.0.1)
Not interested in using a HTTP local proxy, such as Fiddler, because I'd like to capture also other protocols
Two commercial tools work, specifically CommView and Local Network Monitor, which means it must be possible to do that ;)
How can I do to capture the traffic?
Any pointer on functions I should use or documentation I should read?
Thanks!
Basically you need to write a TDI filter driver to achieve that... for some pointers see:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff565685%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-us/library/windows/hardware/ff563317%28v=VS.85%29.aspx
Another option is to write a WinSock LSP.
BEWARE
Since Windows 8 it is strongly encouraged to use WFP (Windows Filtering Platform) for this sort of thing...
Although it might be more cost-effective to just use/buy an existing solution - esp. if you are not a very experienced driver developer...
Use RawCap, which can solve your concerns, see this
I am using System.DirectoryServices namespace for communicating with an ADAM instance. Part of the network within our organization Kerberos, while another defaults to NTLM. We also have conflicting domains (aliased the same ABC), that have different fully resolved names, of course.
Kerberos requires usage of fully resolved names, as far as I understand. My ADAM instances (multiple, replicated) are pointed to by WideIP, which resolves to different IPs for different regions. One of those WideIPs is serving "me" an alias instead of FQDN, which makes my ADAM go to the wrong domain.
The questions are:
- is there a way to verify that kerberos is used in communication with that ADAM?
and
- is there a way to force kerberos (which could be used to error out early)
Thank you for looking at it.
A colleague of mine showed me a couple of good tools that did the job:
WireShark makes tracing communications protocols a snap. Great tool. It traces net packets. You will see exactly where Kerberos digresses to NTLM.
KerbTray is somewhat useful too.
Hope it will help someone.