OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: labsy on April 02, 2018, 02:52:32 pm

Title: Integration with Mail, Joomla, Wordpress security
Post by: labsy on April 02, 2018, 02:52:32 pm
Hi,

I host hundreds of Wordpress, Joomla and other web sites behind OPNSense firewall. Beside those, I also have few MAIL servers here.
Now, some of web sites have good security measures via plug-ins, which detect brute-force attacks, some web sites use public black lists of compromised IP addresses to prevent access from...while other web sites do not have any of those.

My idea is to somehow connect those best security mechanisms of Wordpress, Joomla and others and then use "I don't know which mechanism" to block those  attackers at OPNSense entry level, so I would prevent those hackers to attack ANY of my web sites and to access to ANY of mail servers, which are behind my OPNSense.

Any ideas?
Title: Re: Integration with Mail, Joomla, Wordpress security
Post by: fabian on April 02, 2018, 03:10:23 pm
I wanted to build something like that but never had the time to write it. The idea is creating an API endpoint which can be used to report bad IPs which then will be blocked (and maybe released after some time).
Title: Re: Integration with Mail, Joomla, Wordpress security
Post by: elektroinside on April 03, 2018, 10:57:50 am
I wanted to build something like that but never had the time to write it. The idea is creating an API endpoint which can be used to report bad IPs which then will be blocked (and maybe released after some time).

This would be simply awesome :)
Title: Re: Integration with Mail, Joomla, Wordpress security
Post by: mimugmail on April 03, 2018, 11:22:47 am
Why not using URL hosts lists and block them via firewall rules (DShield, Spamhaus, FireHOL)?
Title: Re: Integration with Mail, Joomla, Wordpress security
Post by: elektroinside on April 03, 2018, 11:42:34 am
Because the blocking has to be done dynamically, commanded by something (a wp plugin for example, or extension of an existing one etc). If the bruteforce is coming from an ip that isn't listed in any of those lists (usually the case of targeted attacks), something has to feedback the OPNsense box and temporarily slow down or completely block the attack.

While aliases can be used and a list could be maintained somewhere on some webserver, which OPNsense could constantly read, it's an added resource to maintain. It's much more simple to call an API and add the offending ip in a blacklist which a floating rule can later use. And that list could be maintained from the WebGUI.
Title: Re: Integration with Mail, Joomla, Wordpress security
Post by: mimugmail on April 03, 2018, 11:56:30 am
Ok, got it, very special use-case :)
Title: Re: Integration with Mail, Joomla, Wordpress security
Post by: elektroinside on April 03, 2018, 12:38:24 pm
Yes, but I could only imagine the impact if a WP plugin could also be made, published and advertised in their software repository:

"Protect your WP website with a hardware/software appliance - powered by OPNsense" or something.
Existing wp software "firewalls" could also extend their products to include live OPNsense blocking.

I think it would be cool.
Title: Re: Integration with Mail, Joomla, Wordpress security
Post by: labsy on May 05, 2018, 11:11:45 pm
Maybe one way would be that OPNSense plugin (or a rule) could read plaintext (or database) cache of blocked IPs, which security plugins of Wordpress or Joomla create localy. OPNSesne would then add those into, for example, "Abuse IPs" aliases list, which are by some rule blocked.

For example:
WordFence security plugin for WP stores banned IPs into database.
IT would be easy to create cronjob to pull those out and export them in plaintext, making them available via (internal) http site.
There OPNSense could pull them and add to "Abuse IPs" alias list. This part is totaly unknown to me - how could this be done? Via a plugin? Batch job?
Title: Re: Integration with Mail, Joomla, Wordpress security
Post by: franco on May 06, 2018, 07:51:54 pm
Maybe one way would be that OPNSense plugin (or a rule) could read plaintext (or database) cache of blocked IPs, which security plugins of Wordpress or Joomla create localy. OPNSesne would then add those into, for example, "Abuse IPs" aliases list, which are by some rule blocked.

Sounds like firewall alias URL lists to me? :)


Cheers,
Franco