How to make a "sticky" ban list.

[DonnEdwards]

I have added around 10 IP addresses to my NT WebServer's ban list, and was wondering whether anyone has written the code to save these addresses to a text or INI file so that they can be re-loaded when I close the server and then run it again. I guess I could add them to the Windows Firewall, but I'm not sure if that's advisable.

Alternatively, is there a better way to get rid of random IPs that try to "exploit" my server?

Or am I worrying about nothing?

[DonnEdwards]

I have been experimenting with PeerBlock and it is showing an interesting amount of random traffic of all kinds. I think I'll not worry about the ban list for now.

[bshields]

Hi Donn,

I have an API that is a bit target for hackers and to protect itself, other than all the usual pinned certificates to limit SLL attacks, I've taught my API to detect suspicious or dodgy behavior. When I detect it I permanently block the IP by storing it in a database table.

It could be argued (successfully) that this might be a bit slow. So you could store it in a global queue, protected by critical sections and save and load from disk appropriately.

Before I process any request I just check the incoming IP from my list of bad actors and return a 503 is I don't like them.

Its worth mentioning, that all servers will get loads of traffic with people snooping around, testing for vulnerabilities, these do not concern me. I just ignore them.

For some of my systems that aren't world wide, I will use a geo-block at my router level (since it knows how to do it for me), thus removing a great deal of the dodgy traffic from dodgy countries.

I do have 1 API that gets malice attacks, where there is a real hacker (and very capable ones) at the other end. It is only this API that I block bad IPs. I have honey-pot style end-points or parameters for end-points and when they try and use them, permanent ban.

Some of my hackers have been white hat guys, so i've had the opportunity to talk to them about their techniques and they have shown me the issues i'm dealing with.

Its effectiveness is also, limited, most hackers will access your system via proxies or other peoples compromised systems. So they can just get other IP addresses. My rationale here, is to hack my API they need some level of continuity as they probe my API for weaknesses and the IP Ban, breaks their "stride" and makes the process more difficult as more and more of their IPs get Banned. Basically it just slows them down.

In short, if its just muppets looking for systems with default passwords, or generic word press, mysql, etc vulnerabilities I wouldn't bother. But, if you have very valuable data that other people will risk jail to find, then yes, block if you can.

Regards
Bill

[bshields]

Hi Donn,

Some code, since in my above message i'm just all talk.

To check for someone on the BanList and update the ModStamp if we find them.

  Access:BanList.Open()
  BanList{PROP:SQL} = 'SELECT * FROM BanList WHERE IP='''&CLIP(GetRequestDetails(p_web,'XIP'))&''''
  NEXT(BanList)
  IF ERRORCODE() = 0
    BanList{PROP:SQL} = 'UPDATE BanList SET ModStamp='&TimestampZ()&' WHERE IP='''&CLIP(GetRequestDetails(p_web,'XIP'))&''''
    p_web.SendError(503,'Unavailable','Service unavailable')
    RETURN False
  .


In my case I have a CheckConnection() function that does numerous things including checking for Banned IPs. On a normal NT server your would place it before Process or ProcessLink etc.

This API is behind an AWS Elastic Load Balancer so to get the IP address I have to extract it from the XIP HTTP Header field. GetRequestDetails is a function of mine that does lots of things like that. You can just access FromIP from the NetTalk structures.

To put someone one the BanList.

    Access:BanList.Open()
    CLEAR(BAN:Record)
    BAN:IP = GetRequestDetails(p_web,'XIP')
    BAN:NewStamp = TimestampZ()
    BAN:ModStamp = TimestampZ()
    ADD(BanList)
    WriteToLog('BanList.LOG','IP: '&CLIP(BAN:IP)&' Date:'&FORMAT(TODAY(),@d6)&' @ '&FORMAT(CLOCK(),@t3)&' 401 Ban','')


Just all basic code. I'm not so concerned about performance as this API is sitting behind a load balancer with many EXEs doing the work, and its only handling about 100,000 calls a day.

Regards
Bill

[DonnEdwards]

Thank you. How do you handle security? Using Secwin or something else? My app is a medical database, and they also want an  API server.

[bshields]

Hi Donn,

This falls into two categories; access and security.

As I understand from your questions context, secwin would look after access (who can connect and what can they do when they have).

Whereas when I think of security its also about keeping people without access out.

I manage access myself. I have a table of thirdparties (APIClients). As my database stores data for many clients (Offices), the third parties are then granted permission to Clients and then further acesss to Clients data.

APIClient -->> APIClient2Office -->> SecurityArea

In my case SecurityArea refers to an arbitrary name that corresponds to a security subset (like access to CRM data, or financial data, or marketing campaign data, that sort of thing).

I'm sure SecWin does something similar (but I build this API 5 years ago, so I had to roll-my-own).

For security I use Basic authentication and require an SSL connection (Each APIClient gets their own Auth Header).

I must stress this approach is only suitable for Business-to-Business connections, with trusted servers. Customers who use this API are told so, and any detection otherwise gets their credentials revoked.

I have other APIs (like the one I mentioned that gets serious hack attempts) and those APIs are used from iOS and Android apps, and in this scenario you cannot trust SSL (at all). A completely different approach is required.

But, I'm guessing you are doing business-to-business.

Regards
Bill

[DonnEdwards]

Thanks Bill. You have given me a lot to think about, and I am grateful for you sharing your experience.