how to get IP Attacker into the blocklist

ezvink

@cool_corona said in how to get IP Attacker into the blocklist:

As I said you need to use WAN address as destination and HTTP as protocol.
Not 192.168.3.5
And redirect to 192.168.3.5 using HTTP

I have also done that, sir, for destination I use "wan address" and redirect "192.168.3.5" but it still works, sir.

I saw a tutorial on youtube, that the firewall settings from the ISP also had an effect, he set the firewall on the ISP webgui he was using to low so that permission to portforward could be done. does it affect me using a virtual machine? what i watch is he uses pfsense hardware sir and mikrotik

johnpoz

@ezvink what are the rules on your wan? Out of the box rfc1918 is blocked, so you could port forward all day long and it would never work if the source is rfc1918. Which it is in your setup.

edit:
Also, what IP are you sending your traffic too? Once you setup the port forward, your traffic you send from your hping will be to the pfsense wan ip, not the 3.5 server behind pfsense.

bmeeks

@ezvink :
Go read the official pfSense documentation here for instructions on configuring a port forward: https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html. As @Cool_Corona mentioned, you are doing it incorrectly.

And as @johnpoz stated, be sure that you are not blocking RFC1918 addresses on the WAN interface for this test. You configure that on the bottom of the page from the pfSense menu INTERFACES > WAN.

ezvink

@johnpoz
I left this setting by default sir, so which one should I uncheck? both of them?

ezvink

I use port forward like this, and the attacker can access the web server using the same network "bridge adapter" as the pfsense WAN adapter.
but when i try to ping the webserver ip it can't, because my portforward setting is TCP not ICMP. it's like that right sir?

Well, but when I tried to attack the webserver's ip address, there was no warning that appeared on Suricata, what do you think is the problem, sir?

johnpoz

@ezvink dude just take the F, there is no way you pass this "exam" ;)

ezvink

@johnpoz
Isn't this forum to help those in trouble, right, sir?

johnpoz

@ezvink we have been trying for what weeks.

You are asked if you are blocking rfc1918, and where to turn it off - but then you ask which one to check. Which one of those do you think blocks rfc1918? Do you think you have any need to block bogon? How would bogon be source into your wan on a specific network?

Your rule you posted clearly states TCP, but then you ask if your sending icmp? How would we know your the one using hping.. How did your rule trigger before if you were sending icmp?

Asked to see your wan rules - no posting..

Did you modify ips to listen on the wan port now?

Your passlist shows 192.168.18/24 - did you remove that?

ezvink

@johnpoz
like this sir my wan settings

ezvink

@ezvink
on ips I only add opt1(webserver) interface only
I also didn't delete it, I left it the default sir

Patch

@ezvink If you want some one to do your assignment for you then just pay some one to do it.
If you want to learn to be an IT professional then learn how to do research and test systems your self.

@johnpoz said in how to get IP Attacker into the blocklist:

dude just take the F, there is no way you pass this "exam" ;)

agree

@ezvink said in how to get IP Attacker into the blocklist:

Isn't this forum to help those in trouble, right, sir?

The forum is not here to do your assignment for you.

You may not like the honest assistance you have received however if you want technical ability rather then just a grade for an assignment you are not doing, then it is actually more valuable than the many technical pointers you have been given.

ezvink

@bmeeks
Thank you sir, because of your suggestion the project I am working on can run well. thanks again sorry if i confused you

Gertjan

@ezvink

Before attacking, finish first the basic setup.
I mean, this :

is not done any more.
http over port 80 is something of the past, as all traffic passes very visible over the internet. That the opposite of 'security'.
Google, for example, won't index http sites any more. Browsers start to show warnings when http is used.
The solution has been found a decade ago : use https over port 443.
So, add a new NAT rules, same settings as the "port 80 rule", but now you use port 443.
And do not forget to tell apache2 that it should listen port 443 also.
And consider disabling port 80 (http) functionality all together - and if you do, ditch the port 80 pfSense NAT rule.

When done, you can start thinking about 'security'.
One of the best starting points would be : leave the /var/www/html/ folder empty, just keep the index.html file and don't edit it.
Do not install "PHP" (Java, whatever) as this would open up a whole new set of angle of attacks.