Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Subscribers 27 subscribers
  • Views 3126 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

fail2ban and waf

mouk

Hi,

We migrated some websites from direct internet access, to a WAF-style config, with the SSL and the external IP/DNS ending on sophos XG. This immediately  proved to have a negative effect on scripts (fail2ban and some others) that we use to block IP addresses. We considered using X-Forwarded-For to block the originating IP, but of course it has no effect under WAF. ;-)

Anyway: The question: we're looking for an easy (XG API) way, to make (things like) fail2ban work with websites in the XG WAF. Because currently, on one side XG WAF adds security, but it takes it away on the other side. :-)

So I hope someone has to share some XG API scripts he or she is using to upload IP's to be blocked/unblocked to the XG?

Anyone with samples?

(not sure i posted this in the right category...)



This thread was automatically locked due to age.
Parents
  • 0

    Hi all,

    No replies, but perhaps...weekend...? :-)

    I have started looking at the API docs, and can successfuly authencticate via the API, so the basic procedure works. But, before continuing, I decided to ask again for advise:

    Looking at the API, I see a way to create an IPHost / HostGroupList, and to remove it again, but nothing to add/remove single IPs from an HostGroupList.

    My idea was to create a 'blacklist' firewall rule, matching an IPHost HostGroupList, and add/remove IPs to that list using the API, from a script from Fail2Ban.

    Question: Am I overlooking something? Is there really no easy way to add/remove single IPs from such a definition? Is there another way to mass-block IPs?

    I also looked at URL blacklists, but those are about URLs and not IPs, and browsing-only. Plus: it seems they are not refreshed often enough.
    (and strangely only supported over http and not HTTPS??!! Really??)

    Anyway, again: tips and advise would be very welcome! :-)

    Enjoy your Sunday and stay healthy!

  • 0 in reply to mouk

    Really? No one here is doing this, or am I missing something that is that obvious to everybody, that no one can be bothered to point it out to me?

  • 0 in reply to mouk

    Important to know, you are limited to 1000 IPs per Object. So i do not know, how big your List is, but maybe you need to create multiple Objects on XG and split them up. Would be not hard to deal with in Scripting languages. 

  • 0 in reply to LuCar Toni

    Yep, understood. We will not be keeping IPs in it for eternally, so in practise I guess 1000 IPs should be no problem.

    Thanks again!

  • 0 in reply to mouk

    So, while I have your attention... :-)

    Testing API scripting now, and I created a test-12345 network def in XG, and trying with the following piece of API code to create a firewall riule "testing-12345", that will use the test-12345 def as a match criterium.

    However, the code below creates a firewall rule at the correct location, with the correct options, except for the matching, with is Any everywhere, including the SourceNetwork.

    Any idea why it would ignore the provided SourceNetwork?

    <Request>
     <Login>
       <Username>apiuser</Username>
       <Password passwordform="encrypt">E2A812</Password>
     </Login>
     <Set Operation="add">
     <SecurityPolicy>
       <Name>testing-12345</Name>
       <Status>Disable</Status>
       <IPFamily>IPv4</IPFamily>
       <Position>after</Position>
       <After>
         <Name>block from IPs</Name>
       </After>
       <PolicyType>Network</PolicyType>
       <NetworkPolicy>
         <SourceZones>
           <Zone>Any</Zone>
         </SourceZones>
         <SourceNetworks>
           <Network>test-12345</Network>
         </SourceNetworks>
         <Services>
           <Service>Any</Service>
         </Services>
         <Schedule>All The Time</Schedule>
         <DestinationZones>
           <Zone>Any</Zone>
         </DestinationZones>
         <DestinationNetworks>
           <Network>Any</Network>
         </DestinationNetworks>
         <Services>
           <Service>Any</Service>
         </Services>
         <Action>Drop</Action>
         <MatchIdentity>Disable</MatchIdentity>
         <LogTraffic>Enable</LogTraffic>
       </NetworkPolicy>
     </SecurityPolicy>
     </Set>
    </Request>

  • 0 in reply to mouk

    I'm really getting the feeling there are very few people doing stuff like this...

  • 0 in reply to mouk

    Most home user and people involved in this community likely are not using the API for such processes. 

     

    About your question. 

    I would even go a step back: create the Firewall rule via webadmin once. Add the IP Host List into the firewall rule.

    And only GET and POST the IP Host List. After reloading the Object via API, XG should automatically reload the Firewall without your need to edit it. 

  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    Thank you very much for baring with me. :-)

    LuCar Toni said:

    Most home user and people involved in this community likely are not using the API for such processes. 

     

    So... does that mean the prof XG users hang out some place else..? or XG is simply mostly used by home users?

    LuCar Toni said:

    I would even go a step back: create the Firewall rule via webadmin once. Add the IP Host List into the firewall rule.

    And only GET and POST the IP Host List. After reloading the Object via API, XG should automatically reload the Firewall without your need to edit it. 

     

     
    Yeah I understand. Not to be stubborn, but having every DROP in it's own separate rule makes for easier searching, and gives a bit more info on how much traffic is dropped, per IP. And there will not be THAT many IPs to block at the same time.
     
    But I could also do your approach yes, with one single rule. (or actually two: one matching dest network, and one for source network, both using the same IPHostList def)

    Thanks again, I really appreciate your efforts!

  • 0 in reply to mouk

    As most customers are having Support contracts and/or no time to deal with communities, they are likely not to post anything here. 

    The most active user here are Sophos partners, Sophos Employees and Home users (from my perspective). 

    It is likely the point of who is using a community. Take a look at the open source community and then compare it to the Microsoft community for example. 

    This community is likely active but not frequently used by most administrators out there. 

     

  • 0 in reply to LuCar Toni

    Hi

    Yes, I have now also posted this issue with our support partner. If I end-up with working (bash) code, I will post it here, for the benefit of others.

    I wish there would be some more admins here using the API. I see many questions around it, and only little working code samples, except the few official info pages.

    Again: thanks LuCar Toni, for your time in this thread!

  • 0 in reply to mouk

    If anyone is interested, I have posted some very early bash code here:

    https://github.com/kkplein/xg_fail2ban

    A remaining issue is:

    the generated XML will create a firewall rule WITHOUT the configured SourceNetworks entry, but SourceNetworks will be set to "Any" :-(

    If anyone has an idea why that is, I would really appreciate a response here.

    (and other ideas and remarks also)

    It's probably not ready, and I'm not using it in production yet.

  • +1 in reply to mouk

    ok, I have updated the code and templates here (https://github.com/kkplein/xg_fail2ban) and everything seems to be working now. (from my testing anyway....)

    To ban hosts on XG, via the API, from an internal host "webserver" with API access, simply run on the webserver:

     xg_fail2ban ban 1.2.3.4

    This will create on XG an IPv4 host object (named "fail2ban-webserver-1.2.3.4") and a firewall rule with the same name, that would drop traffic coming from 1.2.3.4

    To release the ban, run on the webserver:

     xg_fail2ban unban 1.2.3.4

    This will delete on XG the firewall rule, and then also the host object, so everything is back to initial state.

    What remains to be done:

    - hook-up the script to fail2ban

    Suggestions, or remarks... MORE than welcome!

Reply
  • +1 in reply to mouk

    ok, I have updated the code and templates here (https://github.com/kkplein/xg_fail2ban) and everything seems to be working now. (from my testing anyway....)

    To ban hosts on XG, via the API, from an internal host "webserver" with API access, simply run on the webserver:

     xg_fail2ban ban 1.2.3.4

    This will create on XG an IPv4 host object (named "fail2ban-webserver-1.2.3.4") and a firewall rule with the same name, that would drop traffic coming from 1.2.3.4

    To release the ban, run on the webserver:

     xg_fail2ban unban 1.2.3.4

    This will delete on XG the firewall rule, and then also the host object, so everything is back to initial state.

    What remains to be done:

    - hook-up the script to fail2ban

    Suggestions, or remarks... MORE than welcome!

Children
No Data