store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Wed Apr 23, 2014 7:41 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 19 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Geoblocking "Select All" Button Request
Unread postPosted: Mon May 12, 2008 5:53 pm 
Offline
New Forum User
New Forum User

Joined: Wed Dec 26, 2007 5:45 am
Posts: 4
Hey Scott,

Love the new features.

I just wanted to see if you could add a "Select All" button to the Geoblocking page, then I can just unselect the USA TLD and not have to select all the other TLD's I want to block. Or if not that, a "Block Everything except the selected TLDs" would be nice.


Thanks!

Andrew T.


Top
 Profile  
 
 Post subject:
Unread postPosted: Mon May 12, 2008 10:24 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Nov 20, 2005 4:16 pm
Posts: 187
Location: Right Behind You!
You will want to be careful with that, since the intrawebs are fairly border neutral. My last server from 1and1 was reported in a Germany IP space, even thought it was all US centric websites. (shaking my fist at the stupid spam filter at pobox.)

Now blocking some of the dirtier corners I'm all for (Hi Nigeria and China!), but be sure you understand the risks in doing so. I actually had a customer check their email from Slovenia while they were visiting their roots!

_________________
-Andy


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue May 13, 2008 2:58 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jan 15, 2008 3:57 am
Posts: 478
Location: Netherlands
Is there a default somewhere, witch one would you like to block for sure?


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue May 13, 2008 6:29 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jan 15, 2008 3:57 am
Posts: 478
Location: Netherlands
Is it possible to make Groups as "Know bad countries" "Europe" "USA" etc..?


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue May 13, 2008 8:07 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7780
Location: earth
I was thinking of maybe grouping them by continent next. Another way to do it might be to go with the Unless Allow, Deny model. Where instead of "GeoBlocking" we're "GeoAllowing".

I'm all ears for a known bad list. This is a good place to discuss who that would be and how it would look.

Theres another layer to this as well, mod_security also supports GeoBlocking, which could allow you to narrow this all the way down to specific applications in specific vhosts. For example, one idea might be to have an ASL interface down at the domain level for the users to set a policy like this.

Anyway, I havent thought it all the way through. This is where we could use everyones feedback.


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue May 13, 2008 8:31 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Apr 10, 2006 12:55 pm
Posts: 669
I'm not sure that geoblocking would be all that effective in the end. Consider that currently a good amount of spam is being sent, not from servers, but "zombie" computers at homes and businesses around the world that have been compromised and are now at the beck and call of people in those areas you'd like to geoblock. This is why MAPS lists aren't all that effective at blocking spam. I've had hack attempts on my machines from servers within the US that got hacked. Geoblocking would block the newbies but not stop the dedicated people that we'd all like to stop.


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue May 13, 2008 9:16 am 
Offline
Forum Regular
Forum Regular

Joined: Sun Nov 20, 2005 4:16 pm
Posts: 187
Location: Right Behind You!
One thing I've been thinking about would be some sort of feedback mechanism for ASL similar to a email sender reputation system. If an IP is attacking an ASL server, it would upload the attacker/sig fired to a central repo to be shared by other ASL subscribers. Get hit by many and your "bad" reputation score goes up, eventually evaporating over time. Thresholding (Evil, questionable, hit someone once) could then be set at the individual ASL subscriber level to determine how paranoid they want to be. There are challenges to overcome, such as being used for a DOS.

Just kicking around an idea.

_________________
-Andy


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue May 13, 2008 9:28 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jan 15, 2008 3:57 am
Posts: 478
Location: Netherlands
Quote:
Just kicking around an idea.
Very nice idea! :) this would be a nice addition to ASL


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue May 13, 2008 11:32 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7780
Location: earth
Yes indeed, we actually have had something like that set up since before I started working on ASL 2.0. Before mike had even found out about mod_security, he maintained mod_access+rbl, which does exactly what you're talking about. There are elements of this in some other parts of ASL as well, DenyHosts has its own shared blacklist system.

I agree completely that there needs to be reputation involved in the system to prevent poisoning attacks. Fortunately there are some other systems out there that have established some protocols for this (Vipals Razor for example) that we can look to for guidance. Anyway, I asked mike to check in here on this thread because this has been his baby for years.

Keep the ideas coming!


Top
 Profile  
 
 Post subject: Great idea
Unread postPosted: Tue May 13, 2008 11:35 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3548
Location: Chantilly, VA
We're working on just such a feature right now. :-)

I'll post more details for feedback later today, but right now we are doing internal testing on a realtime RBL fed by all ASL nodes, and a local RBL that is fed by just the ASL nodes controlled by a group. So think of it as both your own personal RBL that only effects you, and a global ASL community feedback system that everyone can contribute to and benefit from.

Please let us know what you would like to see. I'm leading this one, so get your ideas in now and I'll code em up. :-)

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject:
Unread postPosted: Wed May 14, 2008 3:51 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Nov 20, 2005 4:16 pm
Posts: 187
Location: Right Behind You!
Some things I'd like to see:

1) Option to turn on, off, and only use local reputation. Some servers have to be careful on the information they share.

2) Submissions to a central repo contain attacking IP, Sig, and md5 of the default plesk IP address. This would allow for confidence levels in the signatures, as well as allow blocking of updates from someone intent on poisoning the DB. The md5 would keep it relatively anonymous in the DB, but I realize there are other ways you could map the identity. :)

3) Be able to weight the reputation based on preferences:
Evil - block the netblock if ASL says so. or if local rep says so
Diet coke of Evil - block the IP if ASL says so. or if local rep says so
Questionable - block 'em if ASL says so, or local repo says so for non-generic attack sigs --Best option would be to be able to customize sigs as high confidence, but that might never get used for most installs
Have at er - use local sigs with no reputation, but send attack data to ASL anyway

4) Generate reports on said blocking by attacker, hosted domain, sig, etc.

_________________
-Andy


Top
 Profile  
 
 Post subject: Added to the feature
Unread postPosted: Wed May 14, 2008 7:45 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3548
Location: Chantilly, VA
Quote:
Some things I'd like to see:

1) Option to turn on, off, and only use local reputation. Some servers have to be careful on the information they share.


Agreed.

Quote:
2) Submissions to a central repo contain attacking IP, Sig, and md5 of the default plesk IP address. This would allow for confidence levels in the signatures, as well as allow blocking of updates from someone intent on poisoning the DB. The md5 would keep it relatively anonymous in the DB, but I realize there are other ways you could map the identity. Smile


Well, you trust us don't you? ;-)

I'd also like to allow people to opt in and provide even more if they choose, such as the attack payload - we can use that not only improve the rules, but we have some automated stuff in the research pipeline thats going to auto-learn new attacks, malware, etc. and the payloads would be really key to that. Again, opt-in, as some folks may not be able to share anything like that.

Quote:
3) Be able to weight the reputation based on preferences:
Evil - block the netblock if ASL says so. or if local rep says so
Diet coke of Evil - block the IP if ASL says so. or if local rep says so
Questionable - block 'em if ASL says so, or local repo says so for non-generic attack sigs --Best option would be to be able to customize sigs as high confidence, but that might never get used for most installs
Have at er - use local sigs with no reputation, but send attack data to ASL anyway


Right, OK we'll brainstorm on a workflow to support this. BAsically, you need control to decide what data is gonna work in your environment what you want to do. I agree complete.y

Quote:
4) Generate reports on said blocking by attacker, hosted domain, sig, etc.


Any thoughts on what you might want a report to look like? We're working on feeding all the data into a database in realtime, so in the future there will be plenty of ways to work with the data.[/quote]

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject:
Unread postPosted: Wed May 14, 2008 8:23 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Nov 20, 2005 4:16 pm
Posts: 187
Location: Right Behind You!
Quote:
we can use that not only improve the rules, but we have some automated stuff in the research pipeline thats going to auto-learn new attacks, malware, etc. and the payloads would be really key to that.

Now that I can't wait for! ASL goes honeynet. :)

Quote:
Any thoughts on what you might want a report to look like?

Well, I see two major types. One would be advertising to the clients. You know, charts in pretty colors. The other side would be things like sigs hit, sites/applications attacked by percentage, comparison to the ASL "average", trending by box and domain, correlation with spammers. The ability to print/pdf reports for auditors would be nice as well. I'm thinking like compliance with PCI DSS, etc. requirements.

I'd also like to add a widget graph on my biz website like "ASL Protected" with some graph of all the bad stuff blocked might be good advertisement for both you and me. This wishing stuff is easy! Can I have a pony too? ;)

Seriously though, I'm lovin' the direction ASL is going.

_________________
-Andy


Top
 Profile  
 
 Post subject:
Unread postPosted: Wed May 14, 2008 8:32 pm 
Offline
Forum Regular
Forum Regular

Joined: Sun Nov 20, 2005 4:16 pm
Posts: 187
Location: Right Behind You!
Oh, one more thing that just came to me - give the ability to report false positives to domain owners. It could be to you or me, but it would curb some frustration when they post something to Joomla containing *iagra|*enis|gurth in a five paragraph post and get locked out.

_________________
-Andy


Top
 Profile  
 
 Post subject:
Unread postPosted: Thu May 15, 2008 3:07 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jan 15, 2008 3:57 am
Posts: 478
Location: Netherlands
Quote:
I'd also like to add a widget graph on my biz website like "ASL Protected" with some graph of all the bad stuff blocked might be good advertisement for both you and me. This wishing stuff is easy! Can I have a pony too?


I like this, I added the ART logo in my Plesk headers already :) maybe you can use the system of scanalert.com (HackerSafe) if you are 100% hackerSafe you get this in your logo, if there is a vulnerability is shows to :)

Ans give this man a pony for his good idea! :D :D


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ]  Go to page 1, 2  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group