firewall — LowEndSpirit https://lowendspirit.com/index.php?p=/ Thu, 04 Jun 2026 06:24:51 +0000 en firewall — LowEndSpirit Reinventing the ApisCP WAF https://lowendspirit.com/index.php?p=/discussion/9700/reinventing-the-apiscp-waf Sat, 21 Jun 2025 01:34:00 +0000 Technical nem 9700@/index.php?p=/discussions Long time since I've posted, and this one's a fun one. I'd like to pick your brains.

ApisCP based its original WAF on mod_evasive. It's a simple counter that tracks inbound requests per process. Evasive is easily circumvented if keep-alives are disabled or the client explicitly closes a connection. A "200 OK" CSS request is just as significant as a 404 that flows through to a dispatcher, like WordPress, and serves out a dynamic - fully loaded - WordPress site. As of late, I've seen changes in bot request patterns that makes this solution inadequate.

mod_shield rethinks this approach. It's a full rewrite of Evasive.

Features

  • Hits are shared across processes

    • Records are fixed at 176 bytes allowing for 3k unique hits over a 2 minute window at 512 KB
    • Autoexpire, autoeviction w/ LRU policy
    • Cache resizable
    • Can be stored to memcached or Redis providers to share hits across servers

  • HTTP statuses and page loads are scorable

    • Status points may penalize 404s allowing for faster blacklisting of random probes
    • Works with custom HTTP status codes, e.g. returning 499 from backend could score 10000000 resulting in immediate block.
    • Fast loads remove decrease points while slow loads may add to point total
    • Complex scoring is possible, e.g. 1s < load < 2s = 5 pts, 2s <= x < 10s = 7 pts, load >= 10s = 10 pts
    • Addresses DoS situations where bots hit database-heavy requests, like search

  • Blocks counted per event

    • For each block application, the duration may be longer than previously applied
    • Counted for life of system service process
    • Both RFC7231 "Retry-After" + RateLimit headers are sent to guide a compliant client

  • Proxy support

    • Pierces Cloudflare's tunnel in which the edge address cannot be blocked without disrupting Cloudflare usage
    • Works with any other downstream proxy as defined using mod_remoteip

  • Fast, Minimal Overhead

    • Occurs early in processing axis, ~13% faster than mod_evasive :blush:
    • Requires 3 separate memory chunks for per-site, per-page, and active-blocks.

  • Improved logging

    • Status handler executive summary
      epsilon-status-handler|669x500

    • Diagnostics, get a better idea of how things score and why. Doubles as a telemetry module without blocking.

    [Fri Jun 20 17:27:18.044384 2025] [shield:info] [pid 2241388:tid 2241454] [client 35.196.24.130:58136] Request status 301 flagged with score 25
    [Fri Jun 20 17:27:18.626983 2025] [shield:info] [pid 2241388:tid 2241452] [client 35.196.24.130:58136] Request status 404 flagged with score 50
    [Fri Jun 20 17:27:22.265283 2025] [shield:info] [pid 2241388:tid 2241455] [client 35.196.24.130:60824] blocking period started for IP: 35.196.24.130 (expiry: 1750541242264768)
    [Fri Jun 20 17:31:46.372136 2025] [shield:info] [pid 2246513:tid 2246541] [client 103.205.211.78:47894] Request status 302 flagged with score 25
    [Fri Jun 20 17:31:47.559982 2025] [shield:info] [pid 2246566:tid 2246607] [client 103.205.211.78:40392] Request status 301 flagged with score 25, referer: http://x.com/xmlrpc.php
    [Fri Jun 20 17:31:48.719776 2025] [shield:info] [pid 2246513:tid 2246539] [client 103.205.211.78:40530] Request status 404 flagged with score 50, referer: https://x.com/xmlrpc.php
    [Fri Jun 20 17:32:03.948083 2025] [shield:info] [pid 2241389:tid 2241464] [client 138.117.18.67:52430] Request status 404 flagged with score 50
    [Fri Jun 20 17:39:03.452497 2025] [shield:info] [pid 2246566:tid 2246607] [client 193.203.10.164:32349] Request status 404 flagged with score 50
    [Fri Jun 20 17:41:51.467151 2025] [shield:info] [pid 2246513:tid 2246540] [client 177.10.34.242:13784] Request status 404 flagged with score 50
    [Fri Jun 20 17:43:28.093184 2025] [shield:info] [pid 2246513:tid 2246535] [client 177.204.39.240:58988] Request status 404 flagged with score 50
    [Fri Jun 20 18:18:46.574231 2025] [shield:notice] [pid 2241388:tid 2241446] [client 114.119.128.58:36383] Request round-trip 1069 ms exceeds limit 1000 ms. Scoring 1 /dsc_hdr-copy/ (proto: HTTP/1.1), referer: https://x.com/dsc_hdr-copy/

Ideas so far

  • GeoIP blocking

    • I'm not a fan, works contrary that this firewall works adaptively based upon malicious traffic. Bad actors should be blocked organically.

  • JS challenge to unblock

    • Will be added in a later release. For now, blocks can be done within ApisCP's panel.

What else would you like to see added?

Running ApisCP already? You can swap to Shield today:
dnf --enablerepo=apnscp-testing update -y mod_shield

Module is RC stage. It'll be part of the next major ApisCP release :+1:

]]> Home Network Advice Please: Firewall/Router, WiFi Access Points/Multiple SSIDs, Switches and VLANs? https://lowendspirit.com/index.php?p=/discussion/6261/home-network-advice-please-firewall-router-wifi-access-points-multiple-ssids-switches-and-vlans Thu, 03 Aug 2023 11:44:13 +0000 Help xleet 6261@/index.php?p=/discussions I need to replace my home network. I have had enough of Sophos and their free UTM (for home users).

WHAT I HAVE:
I have a direct Ethernet bridge (cable modem) with DHCP to the internet. I get one public IPv4 address and a typical IPv6 (/64?) home connection. Ethernet cables go between the office closet and all rooms in the house. There are switches in some rooms that have multiple devices. There are four WiFi access points in various rooms to yield full coverage of the house and backyard.

WHAT I NEED:

  • Firewall / Router that supports the network. I have an 8 port "SG135" Sophos appliance, but do not mind wiping it and installing other software on that same hardware.
  • Four WiFi access points that support multiple SSIDs. I want to isolate home appliances and devices from the primary LAN that personal computers use. That requires multiple SSIDs. A "guest network" is not sufficient. I assume it would use a separate VLAN for each SSID.
  • Small VLAN-capable switches in a few of the rooms.
  • A VLAN-capable switch in the office closet.
  • The access points and VLAN switches must be reasonably easy to manage and configure. I understand that it is complex, but some models of access points and VLAN switches make the problem much harder.

I bought some very cheap TP-Link switches. Not only are they not secure, but they are nearly impossible to configure. It becomes a real "bootstrap" nightmare trying to configure access points with SSIDs on VLANs, then the TP-Link cheap switches, and then the office closet equipment without cutting something off accidentally. It is a nightmarish bootstrap process. The TP-Link switches run HTTP with open passwords on the network. No more of that, please.

This is a home network, not a business. I do not want to spend excessive amounts, nor do I want any license "subscriptions" or "renewals".

-> What would you recommend? I need access points, smart switches, and a good firewall/router to put it all together.

]]> OpenSense Hardening & sunnyvalley.cloud referral https://lowendspirit.com/index.php?p=/discussion/5906/opensense-hardening-sunnyvalley-cloud-referral Thu, 11 May 2023 19:10:54 +0000 Help hornet 5906@/index.php?p=/discussions I have been reading about and watching pfSense and OpenSense videos for one year. Time to pull the trigger.

Looking to have a rock-hard residential connection. Which setup tweaks do you recommend? Plug-ins?

Anyone have a sunnyvalley.cloud referral link?

]]> LowEnd Segmented Wireless and Wired VLAN Networks https://lowendspirit.com/index.php?p=/discussion/4603/lowend-segmented-wireless-and-wired-vlan-networks Sat, 17 Sep 2022 17:44:33 +0000 Technical xleet 4603@/index.php?p=/discussions I would like to segment my home network into separate VLANs. The goal is to prevent appliances like doorbell cameras and video streaming devices from accessing the LAN that residents use for their personal computers and phones.

That means several WiFi SSIDs that are on separate LAN segments. I have switches that support 802.1q VLAN tagging, but they are still operating as unmanaged switches.

Which firewall would you recommend that supports this kind of networking with VLAN tagging?
Which access points would you recommend that support multiple SSIDs (say 8 different ones) with appropriate VLAN tagging?

]]> New WAF by Cloudflare.. will you bite? https://lowendspirit.com/index.php?p=/discussion/2736/new-waf-by-cloudflare-will-you-bite Wed, 31 Mar 2021 12:44:23 +0000 Industry News vyas 2736@/index.php?p=/discussions Preference (of course ) for paid tier.

https://blog.cloudflare.com/new-cloudflare-waf/

Or will you go DIY route?

]]> Linode Firewall (Beta) https://lowendspirit.com/index.php?p=/discussion/1967/linode-firewall-beta Sat, 24 Oct 2020 00:17:39 +0000 General vyas 1967@/index.php?p=/discussions I came across a post talking about Linode Firewall that is in beta. One has to apply to the program to use but...

My question : is this different (or better ) than standard / cli tools ?

https://www.linode.com/products/firewall/

]]> General Setup for MMO and Firewall https://lowendspirit.com/index.php?p=/discussion/1512/general-setup-for-mmo-and-firewall Mon, 27 Jul 2020 00:19:14 +0000 Technical kind 1512@/index.php?p=/discussions Hello guys, its me again.
As im progress with the setup, new doubts are comming.
First of all, im gonna tell you about my setup and why I rent a dedicated server.
I have 2 servers of MMORPG, and, usually we (the ppl who has this kind of servers) rent vps, problem is most of the ppl who rent related to this game don't have a clue about nothing, and oversell resources af. So, since my 2 vps cost around 35USD monthly, I decided to take the leap and move to soyoustart.
My goal is to setup 4 vps with Windows Server (2 operationals and 2 for test).
This is the specs of my server: SYS-LE-2 Server - Intel Xeon E5-1620v2 - 32GB DDR3 ECC 1600MHz - 2x 800GB SSD SATA Soft RAID and it has Proxmox VE 6.2.

That being said, I have a couple of general questions:
1. OVH Monitor isn't enabled for SYS right?
2. Do you recommend to have RAID setup for this use? Currently I have one of the SSD unmounted.
3. What its the best configuration for Windows regarding VM options. Screen:

And about Firewall (the same topic since setup is relevant):
1. Is there a file config to see all the rules that has been applied? Im aware of iptables -S
2. Do you really see crucial to add a rule for SSH and GUI access only from 1 ip? Im from Argentina, and all the companies here use dynamic ip, or its enough with anti brute rules?
3. All the rules I apply to main server in SSH would be apply to my VM's if network firewall is enabled?
4. Need to limit connection ammount per IP and per time, I read this tutorial (hope isn't againts the rules share the link) https://javapipe.com/blog/iptables-ddos-protection/ with a bit of tweaks could be exactly what I need, only if I can add a ban to the ip that exceed the limite, for 30mins lets said.
5. Is there a way to add a whitelist IP for certain rules only? Like for example, I wanna limit connections with the rules from the link above, to 15 connections over 30sec.

Think that would be all. Thanks to all for reading, sorry for all the questions and the bad english ^^

]]> Do you block traffic from China? https://lowendspirit.com/index.php?p=/discussion/468/do-you-block-traffic-from-china Thu, 09 Jan 2020 10:15:19 +0000 Technical havoc 468@/index.php?p=/discussions From reading various things on the intertubes at least some people seem to do this. On the basis that a lot of the traffic is not legit and/or malicious.

Thoughts on this? yay/nay

Also, anybody know a clean way of managing this type of stuff. I know one can download country IP blocks and funnel it into iptables but not sure how to remove/manage

]]>