Python based Apache Firewall and Log analyzer

[joerg....@owasp.org]

Dear Group,

while working on securing an apache server there came a tiny idea to my mind which i would like to start as a project.

The first code is already submitted here:

https://github.com/johestephan/mypyapachefw

Basic idea is a Loganalyzer working on Apache logs and blocking badguys via iptables.

Currently it only works on Header informations about the client and blocks sqlmap, Python and Wget.

I know that most ideas can be done with mod_security, but this led to some trouble with the bad designed webinterface :-)

So, any ideas are welcome.

Kind regards 

Joerg

[johanna curiel curiel]

Please follow this discussion in owasp-pro...@owasp.org:

--
You received this message because you are subscribed to the Google Groups "OWASP PROJECT IDEAS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-project-i...@owasp.org.
To post to this group, send email to owasp-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/owasp-project-ideas/526474be-b05b-4904-bbe3-9067ac4866a6%40owasp.org.

[Rahim Jina]

And fail2ban!

Sent from my iPhone

On 3 Oct 2014, at 04:29, Rogan Dawes <ro...@dawes.za.net> wrote:

Er, sounds like logwatch to me. . .

_______________________________________________
OWASP-Leaders mailing list
OWASP-...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

[joerg....@owasp.org]

Hi all,

yes, i know, the basic features are all covered by different tools.

Logwatch does a part of it, fail2ban can do a other.

In current version i added more analyze and configuration features. You now can do "try run" which is logging only, and you can add GeoIP data to the output.

And optional header information can now be added through an own file.

I just thought it would be a great owasp project. But, i will work on it anyway.

Next will be an analyzer addon, which will try to create a blacklist out of the data and i may add blocklist.de init script, to blog already reported hosts. 

All in all, i will try to make these little python script as good as it can be.

Stay tuned and Cheers

Joerg

[Tony Turner]

I really dislike anyone discouraging others from pushing their project due to something like LoC.  Every project started somewhere.

On Oct 4, 2014 5:16 AM, "timogoosen" <timog...@runbox.com> wrote:

This is cool and a great idea, I've also in the past been very
interested in analyzing apache and nginx logs and detecting weird
behavior in the log. I've found weird stuff and found out about weird
new exploits by googling things I found in web server logs.

I am one of the people who reviews documentation
for OWASP these days and I am going to give you some feedback/criticism,
please don't take it as discouragement. I'd like to wish you
the best for your infosec career/hobby.


What kind of output does it give of your logs?

"Basic idea is a Loganalyzer working on Apache logs and blocking badguys
via iptables."

Define: "bad guys". (People trying to do what?) I take it you are trying
to block people using sqlmap for example, maybe think of expanding your
definition of "bad guys" to people trying to run tools like slowloris
and pyloris etc. (I'm not sure what the "in tool" for that is at the
moment.)


Blocking badguys via iptables? I havn't had time to read the code, but
this is something you can put on your github page in the README,
how does it block them in iptables? Could you give an example of an
iptables rule generated by this script?

By header I think you are referring to useragent? What stops me from
spoofing the user agent?
curl --user-agent "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101
Firefox/24.0" http://somesite.com
(You could do the equivalent with wget (which is one of the user agents
that you block, I just didn't have time to look up wget syntax now.)
Also remember besides wget and curl you should also block fetch,links etc.

Have you thought of  blocking people from tor? You could block people
using a blacklist of exit node IP's and
block traffic by IP.


No offense, but this is literally a python script of 86 lines, I don't
think this is
worthy of becoming a OWASP project. Also this is restricted to iptables
which is limited only
to the Linux platform. There are many other operating systems and
firewalls, in the BSD world
for example there is: IPF,IPFW and PF.

How much have you tested this? Is this useful for other people.

What kind of license is this:
https://github.com/johestephan/mypyapachefw/blob/master/Licence.txt
Perhaps just state the name of the type of license, for example is it
GPL,GNU or BSD license?

Also have a look at different Linux distro's, but apache2 is called
httpd on some Linux distro's. And I might be wrong but besides
access.log you also want to look at error.log.
I think on RHEL based Linux distro's the log file is:
/var/log/httpd-access.log

Regards.
Timo.

On 10/02/2014 09:29 PM, johanna curiel curiel wrote:
> Basic idea is a Loganalyzer working on Apache logs and blocking badguys
> via iptables.

_______________________________________________
Owasp-community mailing list
Owasp-c...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-community

[Joerg Stephan]

Hi,

yes,

but as it is a 86 lines python code, there is much work todo.

So, first of all, thanks for the feedback. I will include it.

And yes, it is possible to fake your agent information, but most scripts dont do it. There are many guys around and the tiny script is (currently) not the holy grail when it comes to a real hacker, who really wants to attempt you system.

But, it works,  The script is in real time test on my private server, and it works so far. 

Thanks!

Joerg

--
You received this message because you are subscribed to a topic in the Google Groups "OWASP PROJECT IDEAS" group.
To unsubscribe from this topic, visit https://groups.google.com/a/owasp.org/d/topic/owasp-project-ideas/7o6SY5HABpw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to owasp-project-i...@owasp.org.

To post to this group, send email to owasp-pro...@owasp.org.

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/owasp-project-ideas/CAFm0_myDYJdiEv9bse0MBxc0%3D9vqjUr8_nGBppkkt90Hd_aSvg%40mail.gmail.com.

[Owasp]

The entire concept of owasp incubator phase, is to allow anyone start a project under the owasp umbrella guidelines. As long as the leader sticks with these guidelines, the content or matter is a free choice of the leader.

Lets just keep in mind that when google founders decided to launch a search engine, 5 already existed.Mod security does a great job, but all rules available are not free. When ZAP started there were enough proxy servers out there.

 It is good to explore how to make your project better and receive feedback, but as an incubator project, the leader has all the opportunities to develop his project in any direction he finds it suits  the problem he wants to assess or solve through it.

Regards

Johanna

--

You received this message because you are subscribed to the Google Groups "OWASP PROJECT IDEAS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-project-i...@owasp.org.
To post to this group, send email to owasp-pro...@owasp.org.

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/owasp-project-ideas/CAFm0_myDYJdiEv9bse0MBxc0%3D9vqjUr8_nGBppkkt90Hd_aSvg%40mail.gmail.com.