Use Antihacking protection to ban an IP range - how?

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
ionicle
-


Joined: 01 Apr 2012
Posts: 8

PostPosted: Tue Aug 20, 2013 2:20 pm    Post subject: Use Antihacking protection to ban an IP range - how? Reply with quote

I would like to ban a certain number of IP ranges from accessing the server at all. I don't want to use an external firewall to do that though.

I know that can be done via the Ban function of the Antihacking Protection, however, there is no interface to input the IP ranges directly. What is the correct syntax to input them manually in the "persist.data" file instead?

What I want is for those IP ranges to not be served anything at all - the server should simply drop those connections as soon as they're established.
Back to top View user's profile Send private message
Axis
-


Joined: 29 Sep 2003
Posts: 336

PostPosted: Tue Aug 20, 2013 6:43 pm    Post subject: Reply with quote

Hello ionicle--

The interface is in the host menu under IP Address Control. No need to mess with persist data directly.

Regards,
Axis
Back to top View user's profile Send private message
ionicle
-


Joined: 01 Apr 2012
Posts: 8

PostPosted: Tue Aug 20, 2013 6:54 pm    Post subject: Reply with quote

No.

I specifically mentioned that I want to deny the incoming connection attempt without any sort of response, not having the connection honored and then sending a 403 error.

What I want is basically covered in this topic:

http://www.aprelium.com/forum/viewtopic.php?t=183573

It's, supposedly, how the Antihacking protection works, after identifying an attacking IP: dropping the connection attempt without any form of response.

Part of the "persist.data" code is presented in this topic:

http://www.aprelium.com/forum/viewtopic.php?t=265137

The only thing I need to know is, where exactly I should insert the modified code in the contents of "persist.data". I could totally do this on my own if I had at least one attacking IP detected and blocked by my Abyss. The fact that I don't have any, effectively means that no entries are present in my "persist.data" file, and thus, I have no idea where to insert them manually.
Back to top View user's profile Send private message
ionicle
-


Joined: 01 Apr 2012
Posts: 8

PostPosted: Tue Aug 20, 2013 10:26 pm    Post subject: Reply with quote

I figured it out by setting up arbitrary rules in my own server and "attacking" it myself.

Code:

<antihack>
      <blackip>
   <ip>
             212.xxx.xxx.xxx
   </ip>
   <until>
          Tue, 20 Aug 2013 21:27:07 GMT
   </until>
      </blackip>
</antihack>


That is the code that's added to the "persist.data" file.

My only question now is: how do I alter that so I can actually block an entire IP range, instead of just one IP address? If I try adding a range manually in the file, the value gets erased for some reason.

I don't get it. Why didn't you guys implement an interface option to manually add individual IPs/IP ranges in the Antihacking section? That would have been perfect, plus people that deal with webservers are more than capable of observing the behavior of malicious bots/scripts attacking the server, and determining whether or not they should be banned, instead of relying solely on the automated protection...
Back to top View user's profile Send private message
aprelium-support
-


Joined: 20 Feb 2009
Posts: 356

PostPosted: Fri Aug 23, 2013 7:29 pm    Post subject: Reply with quote

You could use any IP range format as described in http://www.aprelium.com/data/doc/2/abyssws-win-doc-html/ipformat.html .

ionicle wrote:
My only question now is: how do I alter that so I can actually block an entire IP range, instead of just one IP address? If I try adding a range manually in the file, the value gets erased for some reason.


You should do that while Abyss Web Server is not running.

Quote:
I don't get it. Why didn't you guys implement an interface option to manually add individual IPs/IP ranges in the Antihacking section? That would have been perfect, plus people that deal with webservers are more than capable of observing the behavior of malicious bots/scripts attacking the server, and determining whether or not they should be banned, instead of relying solely on the automated protection...


Software cannot be perfect from day 1. That's why we ask always customers and users to provide us with their feedback. If a feature is felt being missing, we add it in new versions. That's how Abyss Web Server evolved. :)
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Visit poster's website
ionicle
-


Joined: 01 Apr 2012
Posts: 8

PostPosted: Fri Aug 23, 2013 8:03 pm    Post subject: Reply with quote

Thank you for the response, but no.

I already tried that with the regular IP range format:

1.0.0.0-1.255.255.255

And no, it doesn't work - when I restart Abyss to validate the change, it gets rewritten to 0.0.0.0. It simply doesn't accept an IP range in that specific value:


<antihack>
<blackip>
<ip>
212.xxx.xxx.xxx
</ip>
<until>
Tue, 20 Aug 2013 21:27:07 GMT
</until>
</blackip>
</antihack>


My guess would be that it shouldn't be enclosed in an <ip> tag, since it isn't an individual IP, but a range. My question, therefore, is:

What is the proper tag to enclose the IP range in, so that it would be recognized by Abyss and used by the Antihacking protection?
Back to top View user's profile Send private message
aprelium-support
-


Joined: 20 Feb 2009
Posts: 356

PostPosted: Sat Aug 24, 2013 5:38 pm    Post subject: Reply with quote

ionicle,

We have checked with our lead development team and it seems that <ip></ip> accepts only IPs and not ranges.

persist.data file format is not documented (even if easy to grasp) because it was never meant to be used by external tools.

Please get in touch with us regarding enhancing Abyss Web Server to add the features you need.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Visit poster's website
ionicle
-


Joined: 01 Apr 2012
Posts: 8

PostPosted: Sat Aug 24, 2013 6:59 pm    Post subject: Reply with quote

Right, thank you, that clarifies it. I suspected that was the case indeed.

The "persist.data" file is totally a cake to grasp, since it's kinda written in the same easily-readable format that "abyss.conf" uses.

I thought about trying <range> or <iprange> tags, but didn't really count on those being actually implemented.

How do I get in touch with you? Emailing at support@aprelium.com?

I'd actually LOVE to see an interface option in the Antihacking Protection section, offering to manually input IPs/ranges for use by the protection module. Main reason is - it handles the blacklisted connections differently than the graceful 403s of the Allowed/Denied section, dropping the connection immediately, and not wasting server resources on actually honoring the request by serving a "Forbidden" page. Also, a lot of attackers can easily be identified manually by a vigilant observer, and might be missed by an automated module - therefore we need the option to manually pinpoint ban targets for the protection.

Once the perpetrator sees the "Forbidden" page, they will actually know that they've been blacklisted. Security through obscurity is something I really like, and I do consider the Antihacking protection method of handling the connections a lot more effective in fending off those pesky attackers.

I mean - if you cannot even connect, what can you do? Plus, when the connection is simply dropped, the attacker will not have a clear idea as to why this is happening, and therefore will be less likely to implement proper counteracting measures to try and circumvent the ban.
Back to top View user's profile Send private message
aprelium-support
-


Joined: 20 Feb 2009
Posts: 356

PostPosted: Mon Aug 26, 2013 1:41 pm    Post subject: Reply with quote

ionicle wrote:
How do I get in touch with you? Emailing at support@aprelium.com?


Sure. Please use it to get in touch with us.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group