Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Subscribers 27 subscribers
  • Views 3128 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

fail2ban and waf

mouk

Hi,

We migrated some websites from direct internet access, to a WAF-style config, with the SSL and the external IP/DNS ending on sophos XG. This immediately  proved to have a negative effect on scripts (fail2ban and some others) that we use to block IP addresses. We considered using X-Forwarded-For to block the originating IP, but of course it has no effect under WAF. ;-)

Anyway: The question: we're looking for an easy (XG API) way, to make (things like) fail2ban work with websites in the XG WAF. Because currently, on one side XG WAF adds security, but it takes it away on the other side. :-)

So I hope someone has to share some XG API scripts he or she is using to upload IP's to be blocked/unblocked to the XG?

Anyone with samples?

(not sure i posted this in the right category...)



This thread was automatically locked due to age.
  • 0 in reply to LuCar Toni

    Hi LuCar Toni,

    Thank you very much for baring with me. :-)

    LuCar Toni said:

    Most home user and people involved in this community likely are not using the API for such processes. 

     

    So... does that mean the prof XG users hang out some place else..? or XG is simply mostly used by home users?

    LuCar Toni said:

    I would even go a step back: create the Firewall rule via webadmin once. Add the IP Host List into the firewall rule.

    And only GET and POST the IP Host List. After reloading the Object via API, XG should automatically reload the Firewall without your need to edit it. 

     

     
    Yeah I understand. Not to be stubborn, but having every DROP in it's own separate rule makes for easier searching, and gives a bit more info on how much traffic is dropped, per IP. And there will not be THAT many IPs to block at the same time.
     
    But I could also do your approach yes, with one single rule. (or actually two: one matching dest network, and one for source network, both using the same IPHostList def)

    Thanks again, I really appreciate your efforts!

  • 0 in reply to mouk

    As most customers are having Support contracts and/or no time to deal with communities, they are likely not to post anything here. 

    The most active user here are Sophos partners, Sophos Employees and Home users (from my perspective). 

    It is likely the point of who is using a community. Take a look at the open source community and then compare it to the Microsoft community for example. 

    This community is likely active but not frequently used by most administrators out there. 

     

  • 0 in reply to LuCar Toni

    Hi

    Yes, I have now also posted this issue with our support partner. If I end-up with working (bash) code, I will post it here, for the benefit of others.

    I wish there would be some more admins here using the API. I see many questions around it, and only little working code samples, except the few official info pages.

    Again: thanks LuCar Toni, for your time in this thread!

  • 0 in reply to mouk

    If anyone is interested, I have posted some very early bash code here:

    https://github.com/kkplein/xg_fail2ban

    A remaining issue is:

    the generated XML will create a firewall rule WITHOUT the configured SourceNetworks entry, but SourceNetworks will be set to "Any" :-(

    If anyone has an idea why that is, I would really appreciate a response here.

    (and other ideas and remarks also)

    It's probably not ready, and I'm not using it in production yet.

  • +1 in reply to mouk

    ok, I have updated the code and templates here (https://github.com/kkplein/xg_fail2ban) and everything seems to be working now. (from my testing anyway....)

    To ban hosts on XG, via the API, from an internal host "webserver" with API access, simply run on the webserver:

     xg_fail2ban ban 1.2.3.4

    This will create on XG an IPv4 host object (named "fail2ban-webserver-1.2.3.4") and a firewall rule with the same name, that would drop traffic coming from 1.2.3.4

    To release the ban, run on the webserver:

     xg_fail2ban unban 1.2.3.4

    This will delete on XG the firewall rule, and then also the host object, so everything is back to initial state.

    What remains to be done:

    - hook-up the script to fail2ban

    Suggestions, or remarks... MORE than welcome!