Threat Shield seems not working

Igonet · October 29, 2024, 12:52pm

Hi,
as i’ve stated in the title, i tried to test the threat shield banning feature, with the following patterns: “Exit before auth from” and “authentication failed for user” which are the default ones.

The latter should monitor/ban any ip when it does more than 3 attempts to access the webui.
I’ve tested this by trying to login into the webui with random (non correct) credentials.
While i can see the failed auth attempts in the logs, threat shield seems to fail in banning the IP, as i can still see the webui/try to login after 3 attempts.

As a side note, would including “AUTH_FAILED” be a good enough pattern to block attempts on OpenVPN RW connections? Would it cause false positives?

I also noticed the lack of a webui regarding banned ip and a toggle to unban them; I’m aware that i can do that via CLI, but i’m asking about a GUI. Will that ever be available?

Any suggestions?

Thanks in advance.

izuky · October 29, 2024, 4:50pm

I confirm, I also noticed the problem, in the logs the banned IP is correctly indicated but you can continue to make attempts in the UI.
However, I noticed that after a while, the UI is correctly blocked.
So I imagine that after a while banip is restarted and works.
Let’s see what the nethesis guys say

@giacomo this seems like a bug. Do you think you could open an issue for it?

giacomo · October 30, 2024, 9:01am

Confirmed: Threat shield detects failed logins but does not block traffic from suspicious IPs · Issue #878 · NethServer/nethsecurity · GitHub

I’d say yes, but I have no estimation date.

Igonet · October 30, 2024, 12:10pm

for this?

giacomo · October 30, 2024, 1:20pm

Someone passed me these regexp to test for OpenVPN:

failregex = ^ (.*) TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
            ^ (.*) <HOST>:\d+ Connection reset, restarting
            ^ (.*) <HOST>:\d+ TLS Auth Error
            ^ (.*) <HOST>:\d+ TLS Error: TLS handshake failed$
            ^ (.*) <HOST>:\d+ VERIFY ERROR
            ^ (.*) <HOST>:\d+ TLS Error: TLS key negotiation failed to occur within 60 seconds.*$

failregex =%(__prefix_line)s<HOST>:[0-9]{4,5} TLS Auth Error:.*
           %(__prefix_line)s<HOST>:[0-9]{4,5} VERIFY ERROR:.*
           %(__prefix_line)s<HOST>:[0-9]{4,5} TLS Error: TLS handshake failed.*
           %(__prefix_line)sTLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]<HOST>:[0-9]{4,5}

I think they come from another software but I never tried.
So no idea if they work or not.

If you have time, test them and report back!

Khulisa · October 30, 2024, 2:57pm

Not sure how to test failregex but adding the following 3 patterns to Threat Shield

o	TLS Auth Error
o	TLS handshake failed
o	AUTH_FAILED

adds the failing attempt IP to blocklistv4 and blocks after the Ban after N failed accesses threshold is reached.

Tbaile · October 31, 2024, 1:59pm

I’ve closed the issue regarding the conntrack not banning the IPs that are invalid. After investigation the issue wasn’t related to banip not banning, however it resides on conntrack keeping the connection active, so that something like this happens after a while:

This seems nothing we can do about at the moment, and considering how conntrack handles connections and all the different combination of cases to support, the issue has been closed

Igonet · November 6, 2024, 8:58am

Hi, have you tried banIp for openVPN? works

Khulisa · November 6, 2024, 11:36am

It works, see 2 posts up. I tested a non existent account and a disabled account and pulled errors from the log. AUTH_FAILED is triggered from a disabled account, the other two from a non existent.

giacomo · November 7, 2024, 2:40pm

Thanks, I’ve opened a PR to the documentation with your info: feat(threat shield): add OpenVPN patterns by gsanchietti · Pull Request #132 · NethServer/nethsecurity-docs · GitHub