Defense In Depth

It’s not just a quippy infosec mantra, layering your defenses does work. Sometimes these layers confound the attackers, actively or passively neutralizing their attacks. Other times, it slows their progress, providing more logs of their activities as they pivot and penetrate and perhaps giving you the time and the artifacts you need to discover something untoward is developing.

Don’t Overexpose Yourself

Want to expose a service to the public Internet? Is just dropping it into a DMZ really the best you can do? I’m going to say no, you can do better.

For example, say you want to expose a web UI to the world, perhaps it is a single, standalone instance serving up static content, or perhaps it is a piece of critical infrastructure tied into the very fabric of your entire enterprise, either way putting it behind a reverse proxy is likely worth the trouble.

Plenty of Next-Gen Firewalls seem to come with some kind of WAF (Web Application Firewall) intergrated into them, if you have assets with this capability, use them.

For this article I’m going to talk about using HAProxy, a well-known and respected piece of proxy software that has been around for a long time and is extremely capable.

It’s ability to operate at Layer 4 (TCP) and Layer 7 (HTTP), is what makes it so versatile.

Gather Your Things

What you will need:

1) a good stable OS

I’m going with FreeBSD here; great network stack, good security, hardens well, stable as hell.

2) install haproxy #pkg install haproxy

3) TOR Exit Node List

4) MaxMind GeoIP Country CSV

5) a beverage of your choice

Step 1:

Drop a hardened instance of your OS of choice in your DMZ

Step 2:

Configure haproxy (see haproxy docs)

Step 3:

Write a script to grab TOR Exit Node list

#!/bin/sh

tor=https://check.torproject.org/torbulkexitlist

fetch ${tor} -o /usr/local/etc/tor.acl

exit

cron that job

15      2       *       *       *       root    /root/torexit.sh

Step 4:

Get CIDR list of networks for Countries of interest - perhaps to block or allow depending on your strategy. Download the CSV from Maxmind and process:

find code for US

#grep US GeoLite2-Country-Locations-en.csv

find all US CIDRs and create ACL

#grep 6252001 GeoLite2-Country-Blocks-IPv4.csv | cut -d "," -f 1 > /usr/local/etc/us_ipv4.src

Step 5

Create a text file called badua.acl and include a list, one item per line, of User Agents you want to reject. For example:

python
ZmEu
MSRPC
antSword

Step 6

edit haproxy.conf and add following to frontend

//explicit block access to certain URIs
        acl restrict path_beg -i /api
        acl restrict path_beg -i /mgmt

//layer 4 block all traffic if SRC IP is outside US
        tcp-request connection reject if !{ src -f /usr/local/etc/us_ipv4.src }
//layer 4 block all traffic if SRC IP is TOR node        
        tcp-request connection reject if { src -f /usr/local/etc/tor.acl }

//capture the User-Agent for later ACL
        http-request capture req.hdr(User-Agent) len 100
        
//layer 7 deny HTTP 1.0 request, almost always garbage        
        http-request deny if HTTP_1.0
        
//layer 7 deny request is User-Agent matches your list of unwanted UAs        
        http-request deny if { req.hdr(User-Agent) -i -m beg -f /usr/local/etc/badua.acl }
        
//layer 7 deny requests from URIs in restrict ACL        
        http-request deny if restrict

//added bonus - simple HTTP to HTTPS redirect
        redirect scheme https code 301 if !{ ssl_fc }

Step 7

Remember that beverage I told you to get? Enjoy, next round is on me.

Not A WAF

While you can use HAProxy as part of a WAF (a discussion for another day), this configuration is not that. These are just a few tricks you can leverage to increase the security of a web facing service. HAProxy has plenty of other tricks too, like tarpitting, load balancing and being part of a cluster.

You can also send your HAProxy logs to your Graylog or other SIEM / Log Management tool and gain a load of insight into what is going on with that web traffic.

Hope you found this helpful and informative. If you have any other tips for HAProxy hit me up on Twitter.

A Word About TOR blocking

After posting this I got some feedback on Twitter from Shawn Webb who is a major force behind the HardenedBSD Project. Shawn made some very valid points about the possible negative effects of blocking TOR. The key considerations for you as a defender is to understand your threat model and be able to maximize the effectiveness of your controls while minimizing the potential negative impact on legitimate traffic.

To Shawn’s point, certainly not all TOR traffic is malicious, there are plenty of reasons why someone might use TOR or a VPN service or any number of anonymizers out there.

The same can be said about country code blocking, User-Agent blocking, blocking HTTP 1.0, or even setting specific SSL protocols and cipher suites. Every control you put in place as a protective measure has the potential to stop some legitimate traffic.

Another point is that a control can be circumvented by a savvy attacker. This is also very true. I don’t see this as a reason to abandon a control, attackers are always circumventing something, I suppose that’s the point. Lock the front door, they’ll sneak around to the back, or climb in through a window, or drop down your chimney. Doesn’t mean you should leave the front door wide open though.

In the end, you need to assess what you are protecting and decide what controls make sense to employ against the expected attack vectors. It’s always going to be a balancing act.

Thanks again to Shawn for sharing his thoughts on this, give him a follow on Twitter and check out HardenedBSD while you’re at it.