Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Block inbound requests to specific pages

    Firewalling
    5
    12
    723
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Translating-IT last edited by

      Hi,

      I'm quite new to pfsense as our webhoster installed pfsense on our server. I'm not sure if this is the correct forum catergory for this question …

      From what I can see in pfsense dashboard under Status > System Logs > System > GUI Service pfsense gets the target page of the request to our website so it should be able to filter such data.

      e.g.

      Jan 25 09:59:06 nginx 10...** - - [25/Jan/2022:09:59:06 +0100] "POST /getstats.php HTTP/2.0" 200 133 "https://...:10443/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"

      What I want to do is, automatically block IPs of users trying to access specific pages on our site. These are pages I know they don't exist and are definitely hacking attempts or at least an attempt to check if there are vulnerabilities.

      So if anyone tries to access such a page via port 80 or 443 they should get blocked out automatically so they don't even see there is a server and so they don't generate traffic on the server.

      Let's say a user wants to access http://www.myrandompage.com/index.php they should get blocked out by pfsense. The list of pages/strings triggering the block could be defined by page URL (/demo/thisfile.php), file extension (block all requests to pages ending on shtml or php), wildcards/regex or strings (if URL contains .env, shell, w00tw00t, select, drop, …).

      Optionally the block/ban for the requesting IP should be set for a specific time span (e.g. 100 minutes, 2 days, …) in order to make sure another user getting that IP and who really wants to access our homepage could still access the site after that time expires in case the IP gets redistributed because it's not a fixed one. If one IP gets blocked several times on different days it should get a permanent ban.

      Is there a way to achieve this?

      Best regards,
      Pascal

      M 1 Reply Last reply Reply Quote 0
      • T
        Translating-IT last edited by

        Hi,

        I managed to solve this by installing pfBlockerNG in combination with Snort, the latter one allows you to create own rules to block all possible things, besides the fact that it comes with a huge batch of own rules which you can activate or deactivate at will.

        Br,
        Pascal

        Gertjan 1 Reply Last reply Reply Quote 0
        • Gertjan
          Gertjan @Translating-IT last edited by

          @translating-it

          What about : use a firewall ?

          On the LAN interface : trusted users that can access whatever they want.
          Second LAN2 : a second pass all rule, and a first "block all port "22 80 443" TCP that has a destination of tyhe LAN2 IP, the one pfSense is using. These users can't access pfSense anymore.

          Or, with just one LAN, but block access to pfSense except if the device is your device == your IP.

          I don,'t understand what you managed to do with "pfBlockerNG-devel (pfBlockerNG is far to old).
          snort might help, if the payload is in clear, or non-https. These days are nearly over, and https means : snort can't see the payload anymore, that is : a request for a page.

          No "help me" PM's please. Use the forum.

          johnpoz T 2 Replies Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator @Gertjan last edited by

            @gertjan said in Block inbound requests to specific pages:

            snort can't see the payload anymore, that is : a request for a page.

            It can if you do it on the lan side and use haproxy to do the ssl offoad.. So to pfsense wan you don't see anything because https, but anything actually going to the server would be in the clear.

            And could be filtered by an IPS.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 23.01 | Lab VMs CE 2.6, 2.7

            1 Reply Last reply Reply Quote 0
            • T
              Translating-IT @Gertjan last edited by

              @gertjan

              I'm not caring about LAN at all. Right now there is absolutely no need to regulate LAN on this setup but it's WAN that must be harnessed. ;) With these 2 packages I managed to reduce bad requests by over 90% without too much finetuning. Only 10 very basic custom rules set up next to default settings. So I guess the better I understand snort syntax the better the threats will get blocked.

              Now, I just need to get more refined custom rules set up in snort to block the remaining trash requests. Most of them get in over port 80 which is then blocked or redirected via url rewrite and redirect rules if it would be an existing url on https.

              So even if pfBlockerNG might be old, it's still quite efficient in combination with snort.

              Br,
              Pascal

              A 1 Reply Last reply Reply Quote 0
              • A
                alexferro32 @Translating-IT last edited by

                @translating-it Hi Pascal! Can you send more details about snort+pfBlockerNG configuration? Thanks, Ale

                1 Reply Last reply Reply Quote 0
                • M
                  michmoor @Translating-IT last edited by

                  @translating-it You need HA Proxy package for this.
                  So i am running a custom application where example.com/admin should not be accessible from the outside. The way its done today is by creating HA Proxy 'AND' rules that disallow this traffic.

                  Another way is to have Cloudflare be your DNS. Using their ZeroTrust model you can control who can hit your page when resolving [ by GeoIP for example] the hostname of your application.. I use it for my home lab but for a more business situation, I use HA Proxy.

                  Firewall: NetGate 6100/7100U, Palo Alto
                  Routing: Juniper MX204 , Arista 7050X3
                  Switching: Juniper EX/QFX. Arista 7050SX
                  Wireless: Unifi, Aruba IAP

                  T 1 Reply Last reply Reply Quote 0
                  • T
                    Translating-IT @michmoor last edited by

                    @michmoor Thanks for that hint. Can I also set up a rule that only traffic to specific (existing urls should go through, everything else would be blocked?

                    e.g. allow www.url.lb/impressum, www.url.lb/index
                    if anyone tries to access www.url.lb/ag4i they get blocked.

                    Where can I find some good tutorials on how to set up such WAN rules?

                    Br,
                    Pascal

                    Gertjan 1 Reply Last reply Reply Quote 0
                    • Gertjan
                      Gertjan @Translating-IT last edited by Gertjan

                      @translating-it said in Block inbound requests to specific pages:

                      e.g. allow www.url.lb/impressum, www.url.lb/index
                      if anyone tries to access www.url.lb/ag4i they get blocked.

                      Firewall rules can act upon IP addresses, ports and all kind of IP stuff.
                      Not on (part of) URLs.
                      Even pfBlockerng can't deal with URLs, just host names.
                      That's something dot somethin-else and morehere dot something dot somethin-else etc.

                      This is the DNS part, and thats where pfBlockerng can do something for you.

                      All these :
                      www.url.lb/impressum
                      www.url.lb/index
                      www.url.lb/ag4i

                      The only part that is visible to pfSense is 'url.lb' (and maybe www.url.lb : check the resolver and/or pfblockng DNS query logs), as that happens when the browsers ask : what is the IP of 'url.lb'. And maybe also 'www.url.lb'.
                      From then, on, it's game over.
                      As the browser now uses that IP, opens a TLS connection to that IP, and asks for a page like /index.html or www.url.lb/impressum (www.url.lb/impressum/index.html).

                      Now, there is no need to explain that you, me and no one else can see what happens in that TLS stream.
                      Because, that's what you want : security and privacy ;)

                      If, by any chance, the site is http (only) : blacklist 'url.lb' all together. As Google did, years ago.

                      It would be a good thing if yoiu could proof me wrong on this.

                      For example : https://superuser.com/questions/763987/block-specific-url-paths

                      shows a possible solution : It's starts with : get a proxy ...

                      Another one : https://superuser.com/questions/1413274/how-to-block-specific-url-rather-than-the-entire-domain-on-a-computer-without-so

                      So, pfSense won't help you breaking TLS (https:// ...) 😊

                      No "help me" PM's please. Use the forum.

                      T 1 Reply Last reply Reply Quote 0
                      • T
                        Translating-IT @Gertjan last edited by

                        @gertjan well, wasn't that what michmoor said, use HA Proxy? I understood that with HA Proxy you can then do exactly that. That's why I asked @michmoor how it can be done with HA Proxy.

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          michmoor @Translating-IT last edited by

                          @translating-it There are a few ways to do this - control inbound requests to a url that doesn't exist

                          so if you have example.com/admin

                          1. HA Proxy package with ACLs on your FrontEnd settings. Anyone attempting to hit example.com/admin will receive a 400 message.

                          2. Have your domain in CloudFlare and it is your authoritative name server. Cloudflare has a WAF component where you create firewall rules. See below
                            9c574cd5-6d1c-4d46-b196-e97a306089e9-image.png

                          The block/ban isnt something that HA proxy can do..As far as im aware. There may be a way. You would need to search the HA documentation for that.

                          Firewall: NetGate 6100/7100U, Palo Alto
                          Routing: Juniper MX204 , Arista 7050X3
                          Switching: Juniper EX/QFX. Arista 7050SX
                          Wireless: Unifi, Aruba IAP

                          T 1 Reply Last reply Reply Quote 0
                          • T
                            Translating-IT @michmoor last edited by

                            @michmoor due to security and GDPR reasons ClouldFlare is NOT an option for me. I use my own server at a hoster in Germany and not services like CloudFlare or similar. So only the first option would be interesting, although I have no idea how this could be set up without any example or tutorials.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post