“… a firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted, secure internal network and another outside network, such as the Internet, that is assumed not to be secure or trusted.”
Itomic has been hosting websites since 2000, a responsibility we take very seriously. After all, your website will likely be the first impression your prospective clients have of your organisation, and we want this to be a great one.
A wise man once said that a truly secure server is one that is unplugged from everything, encased in concrete, and sitting at the bottom of the ocean. But that wouldn’t making for a very good website hosting service, so we have to make compromises 🙂
One of the ways we make compromises is to employ a firewall. It’s a service that attempts to permit the good guys (e.g. yourself, your clients, and other stakeholders) to view and interact with your website, and block everyone else – the bad guys – from doing so.
But how to tell the good guys from the bad guys? Sometimes it’s obvious, sometime less so. When it’s less so, should we give the visitor the benefit of the doubt and let them in regardless? Or should we block them just-in-case, and risk a “false positive” block? It’s the firewall and associated services that are responsible for making these decisions in the blink of an eye, and taking appropriate action(s). Firewalls don’t get it right every time, but through manual and automatic intervention they tend to get better over time.
Getting a lot more technical (you have been warned!)…
The purpose of ModSecurity is to prevent common malicious web based attacks and close security holes in applications. ModSecurity focuses on HTTP(s) traffic. ModSecurity prevents attacks in real time but does not permanently/temporarily block IP addresses, it assumes other software will be used to parse the log entries for this purpose. Modsecurity works at the application level.
CSF is an IPtables frontend used to automate/simplify firewall tasks. LFD (part of the CSF suite) watches logs to count how many times an attack occurs from an IP address and the timeframe. CSF/LFD work at the server/account level.
This ties in with ModSecurity since attacks are logged each time they are triggered. Here’s an actual example from our log files of a specific IP address (126.96.36.199) being repeatedly flagged as malicious because the activity coming from that IP matched a certain ‘bad guy’ rule (id 210831):
root@ariel [/home] # grep 188.8.131.52 /usr/local/apache/logs/error_log|grep mod_sec
2016-05-11 00:11:02.644 [NOTICE] [184.108.40.206:32986] mod_security rule [Id ‘210831’] triggered!
2016-05-12 20:46:56.986 [NOTICE] [220.127.116.11:40251] mod_security rule [Id ‘210831’] triggered!
2016-05-13 02:26:24.048 [NOTICE] [18.104.22.168:44563] mod_security rule [Id ‘210831’] triggered!
2016-05-13 13:20:25.426 [NOTICE] [22.214.171.124:53039] mod_security rule [Id ‘210831’] triggered!
2016-05-20 09:20:54.438 [NOTICE] [126.96.36.199:39174] mod_security rule [Id ‘210831’] triggered!
LFD obtains the IP address from the log and creates a counter and a timer. The counter increases by 1 each time a rule is triggered up to 10. If an IP address triggers a certain number of rules (e.g. 10) within a certain time frame (e.g. 1 hour) the IP is blocked using CSF. If an hour passes and the IP did not trigger 10 rules the counter is reset to 0 for that IP.