12_aslbrute not banning IP's
12_aslbrute not banning IP's
We purchased a yearly subscription for the ASL rules and our system is being hit hard daily by bots trying to brute force the Joomla admin. What's bothersome is that your rules aren't banning those ip's and they just keep pounding away.
Is there a way to tweak that rule to ban IP's for 30 days?
Is there a way to tweak that rule to ban IP's for 30 days?
Re: 12_aslbrute not banning IP's
sure just change the shun time in asl to 30 days
If everything was easy, then the world wouldn't need engineers.
Re: 12_aslbrute not banning IP's
OK where do you do that?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: 12_aslbrute not banning IP's
Thank you for the question, please see the documentation for this configuration setting in ASL:
https://www.atomicorp.com/wiki/index.ph ... _SHUN_TIME
The value is seconds, so 30 days would be 2592000.
https://www.atomicorp.com/wiki/index.ph ... _SHUN_TIME
The value is seconds, so 30 days would be 2592000.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: 12_aslbrute not banning IP's
OK, where are these settings for SHUN time? We're running the rules only with mod security. Thx
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: 12_aslbrute not banning IP's
Those settings are part of Atomic Secured Linux (ASL). Those rules require ASL to detect and block brute force attacks, as documented here:
https://www.atomicorp.com/wiki/index.ph ... brute.conf
https://www.atomicorp.com/wiki/index.ph ... brute.conf
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: 12_aslbrute not banning IP's
Got it. The mod sec rules are limited without the full ASL?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: 12_aslbrute not banning IP's
Its not a limitation in the rules, modsecurity just doesnt do this. Event tracking capabilities in modsecurity are very poor (and have performance issues), so we use an high speed engine to do this in ASL.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: 12_aslbrute not banning IP's
Thanks! What has kept us from going full ASL is when we tried to install it in the past, it made our production machine un-bootable and we had to perform an OS reload so, we're VERY skiddish on attempting to install ASL ourselves.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: 12_aslbrute not banning IP's
We'd be happy to install ASL for you.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: 12_aslbrute not banning IP's
Getting close to a decision here on the full ASL suite. The attacks are coming in waves with peaks and valleys. Looks like its a low level DDOS on WP and Joomla for admin and some scraping to check for vulnerable files. Would the full ASL help with this? See attached image.
- Attachments
-
- Screen Shot 2014-04-03 at 10.21.00 AM.jpg (83.37 KiB) Viewed 13813 times
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: 12_aslbrute not banning IP's
Thank you for the question, ASL sure does protect against this. If you'd like help installing ASL, just shoot support an email.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: 12_aslbrute not banning IP's
Well, it's time to to the deed then! I need a pro to install and get this rolling. My only fear is for our large Joomla install base and what might get caught in the ASL rules. Good news is I'm sure there will be a way to exclude some domains from those rules like CSF mod_sec control? That's our environment now, lots of CSF tools. Modsec Control, CSF, etc. Has worked well until now but, the hackers of the world have found us.
I purchased the annual ASL rules for $99. Is this an upgrade to full ASL or an upgrade?
I purchased the annual ASL rules for $99. Is this an upgrade to full ASL or an upgrade?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: 12_aslbrute not banning IP's
We use Joomla, so its very unlikely any of our rules you cause any issues with Joomla. If you havent had an issue with the modsec rules from us, then you'll be fine with ASL.My only fear is for our large Joomla install base and what might get caught in the ASL rules.
Oh yeah, and then some. You can tweak each rule, its behavior, thresholds and more.Good news is I'm sure there will be a way to exclude some domains from those rules like CSF mod_sec control?
If you purchased a rules license, thats just a license for the rules. Rules licenses do not include ASL. You can upgrade from a rules annual license to an ASL annual license for only $99.96.I purchased the annual ASL rules for $99. Is this an upgrade to full ASL or an upgrade?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: 12_aslbrute not banning IP's
Thanks! Once I pay that, will I get access to the support ticket system? Right now, I can't login to that.