I have inherited admin of an NSA3600. There are a ton of LAN>LAN allow rules configured. It would seem to me that from the LAN zone to the same LAN zone, the default would be to allow the traffic. Is this a situation where once an allow rule is manually configured, the OS places an Implicit DENY at the end of the list? There in NOT an Explicit DENY at the end of the list, so what would the reason for the specific Allow rules to be configured otherwise?
Thanks for the help, and sorry if this is in the wrong forum..
I'd need a bit more detail, but to my knowledge there would not be an implicit Deny. Referring to SonicOS 5 & 6, unsure about the new 7.
It's more likely because you have other devices/subnets (APs, Routers, VLANs) that are part of the same LAN zone. Therefore you have greater granularity with what is permitted or denied in your access rules.
Related
Somebody tried to get access to my TYPO3 backend. I already have the IP adress of the attacker and want to block it from the backend.
I already tried to block ip with .htaccess but this doensn't work. I think the rules are overwritten by something else in the .htaccess file which I couldn't figure out yet.
Captcha is at the moment not a suitable solution.
Are there any good extensions for blocking IP adresses or is there another way to avoid these brute-force attacks?
If you are really concerned about somebody to be able to successfully get access to the system I suggest to go the "white list" path instead of blacklisting single IPs.
TYPO3 has a built in feature to block backand access for ALL IPs except some white listed ones.
To do this just add the following into AdditionalConfiguration.php putting your own IP and the IPs (or subnets) of other users too.
$GLOBALS["TYPO3_CONF_VARS"]['BE']['IPmaskList'] = 'x.x.x.x,y.y.y.*,z.z.*.*';
Other than that, just make sure you take the basic steps to make your backend more secure:
1) Force SSL for the backend:
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = 2;
2) Implement a secure password policy for the backend users by using e.g. EXT:be_secure_pw
3) Secure session cookies to have ssl_only and http_only attributes:
$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieHttpOnly']=1;
$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieSecure']=1;
4) And last but not least: make sure you are using the most recent version of your TYPO3 version line, ideally a maintained LTS version.
You should block requests before PHP/MySql is in use in the best case. So .htaccess is the correct way in my eyes. If it does not work, you should ask your hoster.
It sounds like you want to block the IP of the attacker and put measures in place to block known bad ip's. One of the main issues with blocking the IP of the attacker is that it's fairly easy for an attacker to setup a new IP address and launch a new attack.
There are services that provide lists of known bad ip's if you wanted to implement your own firewall.
Alternatively you can look to place your URL behind a solution such as Cloudflare that have the ability to block IP's or countries. I know of business's that block traffic from China and Russia since they identified that most of their attacks came from these countries.
I have a website with a loose security admin area. Instead of fixing the many security holes that /admin page has, I kinda kept the hackers away by using htaccess:
deny from all
It didn't allow anyone to access /admin area. But I had to remove this condition any time I wanted to access the page. So, I used htaccess white list of IP's.
Now it looks like this:
<Limit GET POST>
order deny,allow
deny from all
allow from 1xx.2xx.xxx.xxx
allow from 1xx.2xx.xxx.xxx
</Limit>
So, this way, my home and office IP's are whitelisted and other people (incl. hackers) will get a 403 error accessing /admin.
But now, I wonder if they can hack my computer and use my IP to access this forbidden page. Do you think hacker have this ability, or is my website totally safe now?
or is my website totally safe now
No, not a single website is totally safe, hackers are always one step in front of the defenders.
But it's a good start making it harder for the hackers to break into your site
A) please don't think that the only way in is through your PC
B) please don't think you are safe because no-one would do that
Both are incorrect. B) especially is a false sense of security. What you will find is that attackers who may gain access to your PC will have a look at what you do with it, and that will likely include accessing your web administration area. This doesn't even require much effort.
You should always use a decent authentication mechanism, and add IP whitelisting as an extra.
I am familiar with denying access based on an IP, block of IPs, browser, URL etc... but my problem here is, let me state, how to deny access if it came from some IP address, at least 3 times a second for long period of time. Here, you don't know the IP address unless you look at the access file. By the time you found out the IP address it's already drawn too much of the bandwidth.
You can't use htaccess for doing this. The out-of-box apache directives can't handle browsing sessions. You'll need to install some sort of log parser, maybe something like fail2ban? Or you can probably cook up a set of iptables rules for blocking lots of connections from one IP: https://askubuntu.com/questions/437059/linux-command-to-prevent-dos-attack-by-using-netstat-and-iptables
My domain registrar gives me the option of locking my domain as a security feature for prevent unauthorized transfers and stuff like that.
I thought the only way to do unauthorized transfers was if the attacker has access to my account on the registrar... but in that case he also can unlock the domain, so at the end of the day I dont understand what is the utility of domain locking... I mean... if the only way he could do something is having access to my registrar panel, then he also can unlock the domain before do transfers and stuff. :-/
So my question is, is there any scenario where an attacker could transfer or do something to my domain WITHOUT having access to my registrar panel and the only way to prevent it is having the registrar-locking activated?
Thanks
There could be several attack vectors, including but not limited to privilege escalation, DNS exploit, SSH and so on. I'll cover two classical measures taken to protect (at least a little) a DNS zone. This answer is mainly for future reference since I neither know which registrar you are using nor how he protects its domains.
My reference DNS server here is Bind, but the same logic applies to NSD, Unbound and the rest.
The first thing is the transfer of a zone using an AXFR / IXFR request. This is done using a simple "dig #[dns_ip] [dns_zone_name] AXFR" (the IXFR query needs an additional serial parameter but is the same kind of query). To block these, ensure that your DNS server uses the following statement:
allow-transfer { none; }; (1)
Note that if you use slave DNS servers, you would have to put their IP addresses (or better, use keys to secure the transaction).
The second possible kind of "attack" is updating the zone itself. This is easily blocked if you use the following statement:
allow-update { none ; }; (2)
Use this kind of configuration only if you use your registrar's panel, because it will prevent DDNS updates. Like the allow-transfer statement, it is possible to use keys / IP addresses to have a fine-grained control over your update policy.
These two statements are for the sake of the example, and there is many ways to configure a DNS server without having to use a web configuration panel.
I hope this response was clear enough and helpful.
1: http://www.zytrax.com/books/dns/ch7/xfer.html#allow-transfer
2: http://www.zytrax.com/books/dns/ch7/xfer.html#allow-update
As per my subject, I need ideas / help on creating [cp].whateverdomain.com, and loading the control panel when that gets hit.
I want this to be a "global" setting, affecting all domains. I understand binding to a port, but I don't understand how to "bind" the control panel to a [cp] subdomain for all domains.
So basically, user will login through cp.domain.com , instead of domain.com:9001
I would greatly appreciate some insight into how this happens, i.e on other servers / setups. Arvixe uses cp.domain for all control panel access. I am also looking at various other scenario's where I want to use a global subdomain/pointer for different things, hence I would like to "understand" what needs to happen to DNS , IIS, and website panel, to achieve this.
In a nutshell, if I remember correctly, you need an extra IP for unique things such as this. YOu need to "bind" the subdomain to that ip, and it should resolve for all domains on the other ip's. I might be off the track a little, this was a while ago for me. I did not want to offer up one of my ip's for cp, so I just stuck with the port.