store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Thu Apr 17, 2014 5:52 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 25 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: atomic-accelerator?
Unread postPosted: Wed May 16, 2012 1:28 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7776
Location: earth
Select local web sevice->Port and optionally SSL or not. If you use SSL, make sure your cert & keys are right.


Top
 Profile  
 
 Post subject: Re: atomic-accelerator?
Unread postPosted: Wed May 16, 2012 5:08 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Dec 11, 2004 2:33 pm
Posts: 233
Location: South Africa
scott wrote:
Select local web sevice->Port and optionally SSL or not. If you use SSL, make sure your cert & keys are right.


Hi Scott - gave this a shot but did not get the desired result.

Enabled WAF for local web service on Port 8080

embedded * * * * 80
embedded * * * * 443
local proxy - / - - 8080

Started Nginx & it was serving the content, however ASL reported the Local IP as the Offender.

Attacker: 197.221.19.226

--7239dd5d-A--
[16/May/2012:22:46:31 +0200] T7QSJ8XdE@IAAHHjK6AAAAAE 197.221.19.226 38839 197.221.19.226 8080

--7239dd5d-B--
GET /?-s HTTP/1.0
Host: www.2large.co.za
X-Real-IP: 115.241.246.86
X-Forwarded-For: 115.241.246.86
Connection: close
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (MSIE 6.0; Windows NT 5.1)
Accept-Language: en-us
Accept: */*

_________________
Mark Brindley
2Large Networks - Web solutions that work


Top
 Profile  
 
 Post subject: Re: atomic-accelerator?
Unread postPosted: Wed May 16, 2012 6:59 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7776
Location: earth
Thats right, outside of plesk there is no system to configure the downstream daemon to know about logging. You'll need to sort that out with whatever daemon(s) you use independently.


Top
 Profile  
 
 Post subject: Re: atomic-accelerator?
Unread postPosted: Thu May 17, 2012 6:11 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3547
Location: Chantilly, VA
Quote:
Started Nginx & it was serving the content, however ASL reported the Local IP as the Offender.


So can you clarify, are you saying that if you connect to your system, through the T-WAF, from an external IP 1.2.3.4 and run a test attack thru T-WAF that the T-WAF is not reporting 1.2.3.4 as the attackers IP but rather the local systems IP?

Or is nginx reporting the local systems IP as the source of the attack?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: atomic-accelerator?
Unread postPosted: Fri May 18, 2012 5:28 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Dec 11, 2004 2:33 pm
Posts: 233
Location: South Africa
mikeshinn wrote:
So can you clarify, are you saying that if you connect to your system, through the T-WAF, from an external IP 1.2.3.4 and run a test attack thru T-WAF that the T-WAF is not reporting 1.2.3.4 as the attackers IP but rather the local systems IP?


Yes That is correct.

_________________
Mark Brindley
2Large Networks - Web solutions that work


Top
 Profile  
 
 Post subject: Re: atomic-accelerator?
Unread postPosted: Fri May 18, 2012 6:48 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3547
Location: Chantilly, VA
Would it be possible to get access to your system to see how its configured? If so, please follow the process at the URL below and send an email to support AT atomicorp DOT com:

https://www.atomicorp.com/wiki/index.ph ... _system.3F

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: atomic-accelerator?
Unread postPosted: Fri May 18, 2012 7:02 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Dec 11, 2004 2:33 pm
Posts: 233
Location: South Africa
Sure thing, please see your email.

_________________
Mark Brindley
2Large Networks - Web solutions that work


Top
 Profile  
 
 Post subject: Re: atomic-accelerator?
Unread postPosted: Sat May 19, 2012 2:59 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3547
Location: Chantilly, VA
So I logged in, and it looks like you uninstalled everything so I'm still not clear on what you did, you may have proxied to apache itself were you have apache configured to use its own own embedded WAF or maybe something else. It sounds like the former was your problem. So could you elabortate a little more about exactly what you had setup, and we can help you.

Going forward, if you are running traffic thru the T-WAF (or anything else for that matter, any proxy) and back to apache you need to install mod_rpaf in apache:

https://www.atomicorp.com/wiki/index.ph ... the_WAF.3F

If you put something in front of the T-WAF, you'd have to do the same thing.

If you are using the T-WAF in front of apache, then you need to disable embedded mode for apache. Its not necessary.

In your post you said you did this:

embedded * * * * 80
embedded * * * * 443
local proxy - / - - 8080

So looking at your apache logs I see requests from 197.221.19.x for port 8080 going to apache. Were you proxying things back to apache?

Heres an example I found:

[19/May/2012:10:58:03 +0200] T7dgm8XdE@IAAHlkQN4AAAAC 197.221.19.227 35995 197.221.19.227 8080 <- thats the destination port and you have the T-WAF setup to proxy it

--57596b39-B--
POST /some_url.html HTTP/1.0
Host: http://www.domain.com
X-Real-IP: 1.2.3.4
X-Forwarded-For: 1.2.3.4

Or did you have nginx proxying to apache? Keep in mind that if you put a proxy in front of apache, and modsecurity is in embedeed mode that you will see the local IP address as the source. So you need to disable embedded mode if you put the T-WAF in front of apache, or if you put something else in front of apache and you want to use the WAF in embedded mode you need to install mod_rpaf.

https://www.atomicorp.com/wiki/index.ph ... the_WAF.3F

In any event, could you explain again what you setup? I'm not clear what was listening on what port, what was proxying, what was forwarding to what, etc. Right now it looks like this was as simple as embededed mode being enabled, and you had not installed mod_rpaf. Please let me know.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: atomic-accelerator?
Unread postPosted: Sun May 20, 2012 11:13 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Dec 11, 2004 2:33 pm
Posts: 233
Location: South Africa
@mikeshinn -

Thank you for taking a look and sorry for creating confusion by removing everything.
I did not anticipate you looking into it over the weekend.

Early on Saturday morning, I decided to turn off Nginx and let things stay as "normal" until Monday.
Something went horribly wrong and I was unable to access any sites on port 80 or 8080
I had to remove everything and reboot the server it back to its previous state.

I will attempt to reconfigure everything this evening following the guidelines & your comments.
This time I will document my steps in more detail.

_________________
Mark Brindley
2Large Networks - Web solutions that work


Top
 Profile  
 
 Post subject: Re: atomic-accelerator?
Unread postPosted: Sun May 20, 2012 12:48 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3547
Location: Chantilly, VA
No worries, just let us know what you setup and how its configured.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 25 posts ]  Go to page Previous  1, 2

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group