Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Subscribers 27 subscribers
  • Views 3127 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

fail2ban and waf

mouk

Hi,

We migrated some websites from direct internet access, to a WAF-style config, with the SSL and the external IP/DNS ending on sophos XG. This immediately  proved to have a negative effect on scripts (fail2ban and some others) that we use to block IP addresses. We considered using X-Forwarded-For to block the originating IP, but of course it has no effect under WAF. ;-)

Anyway: The question: we're looking for an easy (XG API) way, to make (things like) fail2ban work with websites in the XG WAF. Because currently, on one side XG WAF adds security, but it takes it away on the other side. :-)

So I hope someone has to share some XG API scripts he or she is using to upload IP's to be blocked/unblocked to the XG?

Anyone with samples?

(not sure i posted this in the right category...)



This thread was automatically locked due to age.
  • 0

    Hi all,

    No replies, but perhaps...weekend...? :-)

    I have started looking at the API docs, and can successfuly authencticate via the API, so the basic procedure works. But, before continuing, I decided to ask again for advise:

    Looking at the API, I see a way to create an IPHost / HostGroupList, and to remove it again, but nothing to add/remove single IPs from an HostGroupList.

    My idea was to create a 'blacklist' firewall rule, matching an IPHost HostGroupList, and add/remove IPs to that list using the API, from a script from Fail2Ban.

    Question: Am I overlooking something? Is there really no easy way to add/remove single IPs from such a definition? Is there another way to mass-block IPs?

    I also looked at URL blacklists, but those are about URLs and not IPs, and browsing-only. Plus: it seems they are not refreshed often enough.
    (and strangely only supported over http and not HTTPS??!! Really??)

    Anyway, again: tips and advise would be very welcome! :-)

    Enjoy your Sunday and stay healthy!

  • 0 in reply to mouk

    Really? No one here is doing this, or am I missing something that is that obvious to everybody, that no one can be bothered to point it out to me?

  • 0 in reply to mouk

    The best way is to perform a GET on your Object, getting all objects within the current Object. Put those IPs in a Array within your current script, add the IP into the array and post the new IPs to XG. 

    XG will update this Object and the firewall will work without touching. 

     

    With this approach, you can also clean the data and remove data in the same time. 

  • 0 in reply to LuCar Toni

    Hi both!

    Of course I had read the docs, and searched here, thanks.

    Thanks for your suggestion LuCar Toni. I understand the way to proceed, is download the entire IPHost def , change it, and upload the updated IPHost to replace the current def.

    Thanks!

  • 0 in reply to mouk

    Important to know, you are limited to 1000 IPs per Object. So i do not know, how big your List is, but maybe you need to create multiple Objects on XG and split them up. Would be not hard to deal with in Scripting languages. 

  • 0 in reply to LuCar Toni

    Yep, understood. We will not be keeping IPs in it for eternally, so in practise I guess 1000 IPs should be no problem.

    Thanks again!

  • 0 in reply to mouk

    So, while I have your attention... :-)

    Testing API scripting now, and I created a test-12345 network def in XG, and trying with the following piece of API code to create a firewall riule "testing-12345", that will use the test-12345 def as a match criterium.

    However, the code below creates a firewall rule at the correct location, with the correct options, except for the matching, with is Any everywhere, including the SourceNetwork.

    Any idea why it would ignore the provided SourceNetwork?

    <Request>
     <Login>
       <Username>apiuser</Username>
       <Password passwordform="encrypt">E2A812</Password>
     </Login>
     <Set Operation="add">
     <SecurityPolicy>
       <Name>testing-12345</Name>
       <Status>Disable</Status>
       <IPFamily>IPv4</IPFamily>
       <Position>after</Position>
       <After>
         <Name>block from IPs</Name>
       </After>
       <PolicyType>Network</PolicyType>
       <NetworkPolicy>
         <SourceZones>
           <Zone>Any</Zone>
         </SourceZones>
         <SourceNetworks>
           <Network>test-12345</Network>
         </SourceNetworks>
         <Services>
           <Service>Any</Service>
         </Services>
         <Schedule>All The Time</Schedule>
         <DestinationZones>
           <Zone>Any</Zone>
         </DestinationZones>
         <DestinationNetworks>
           <Network>Any</Network>
         </DestinationNetworks>
         <Services>
           <Service>Any</Service>
         </Services>
         <Action>Drop</Action>
         <MatchIdentity>Disable</MatchIdentity>
         <LogTraffic>Enable</LogTraffic>
       </NetworkPolicy>
     </SecurityPolicy>
     </Set>
    </Request>

  • 0 in reply to mouk

    I'm really getting the feeling there are very few people doing stuff like this...

  • 0 in reply to mouk

    Most home user and people involved in this community likely are not using the API for such processes. 

     

    About your question. 

    I would even go a step back: create the Firewall rule via webadmin once. Add the IP Host List into the firewall rule.

    And only GET and POST the IP Host List. After reloading the Object via API, XG should automatically reload the Firewall without your need to edit it.