ProxyFilter

Since the BitNinja agent blocks connections on a TCP/IP basis, blocking attacks coming through trusted proxies - like CloudFlare, MaxCDN, etc. - was problematic. In these cases, the problem was that the proxy IP address was blocked because BitNinja block connections on the 4th level of the OSI model, which is the Transport layer.

The goal of this module is to elevate the evaluation of the requests coming from trusted proxies to the Application Layer (OSI Layer 7) and to be able to interpret the HTTP headers coming from them.

If a request comes from a trusted proxy, the IP set in the X-Forwarded-For header will be the base IP for the incidents.

How does it work?

When the module starts, it will try to download a global and a user-level proxy IP list. Failing to do so, it will use the following JSON files found in the /opt/bitninja/ProxyFilter/defaultSets folder: globalList.json, userList.json

Even if the module is disabled, it will help the CaptchaHttp and the Shogun modules to not put trusted proxy IP addresses to greylist, and to not generate incidents about them.

When the ProxyFilter module is enabled, it will:

  • modify and reload the WAF trusted proxy configurations, and create the following file: /opt/bitninja-waf/etc/BitNinjaProxy/trusted_proxy.conf
  • modify the configurations of the SslTerminating module, and reload the configurations
  • create the following HTTP and HTTPS trusted proxy frontends: /opt/bitninja-ssl-termination/etc/haproxy/configs/trusted_proxy_http.cfg and /opt/bitninja-ssl-termination/etc/haproxy/configs/trusted_proxy_https.cfg
  • create the following HTTP WAF proxy frontend: /opt/bitninja-ssl-termination/etc/haproxy/configs/waf_proxy_http.cfg
  • create HAProxy maps from the loaded ipsets:
  • /var/lib/bitninja/ProxyFilter/whitelist.map from the user-whitelist and user-whitelist-net
  • /var/lib/bitninja/ProxyFilter/blacklist.map from the user-blacklist, user-blacklist-net, essential-list and blacklist
  • /var/lib/bitninja/ProxyFilter/greylist.map from the greylist, if there’s at least 2GB free memory in the system and the loading of the greylist is enabled in the config
  • create ipsets for IPv4 and IPv6 trusted proxy IPs and the iptables/firewall rules that will redirect traffic to the newly created HAProxy frontends

When the module is disabled, it will remove:

  • the iptables port redirections
  • the SslTerminating trusted proxy frontends and reload HAProxy configurations
  • WAF trusted proxy configurations and reload the configs

System requirements

Loading the whole greylist into HAProxy map uses approximately 600MB of memory. For this reason BitNinja will only load the greylist into HAProxy map if there’s at least 2GB of free memory. If that’s not the case, ProxyFilter will only work with the newly greylisted IP addresses.

CLI commands

You can enable the module using the following command:

bitninjacli --module=ProxyFilter --enabled

To disnable the module use the following command:

bitninjacli --module=ProxyFilter --disabled

Configurations

You can find the module’s configuration file at /etc/bitninja/ProxyFilter/config.ini

;
;
; BitNinja ProxyFilter Module Dependency file
;
;
[core]
; Load entire Greylist to HAProxy or use a dummy empty file and only work with IP updates
;
; 0 don't load Greylist. Work with IP updates. Reduce memory usage of HAProxy
; 1 load Greylist. More protection. Needs at least greylist_load_free_memory_limit free memory.
load_greylist = 1
; Free memory limit before trying to load greylist to HAProxy greylist.map in Mega bytes.
;
; This map can take 600 MB of memory alone. Config reloading doubles this value.
; New HAProxy instance starts before stopping the running one.
;
greylist_load_free_memory_limit = 2000
;
; Enable Expreimental module before it can be enabled on the Dashboard.
; Module will not ask API, if it's enabled or not.
;
;module_enabled = 0

How to check if the module is working?

iptables -S -t nat |grep HEIMDALL-PROXY-FILTER;netstat -lntp |grep haproxy

-N HEIMDALL-PROXY-FILTER
-A HEIMDALL-GREY -m comment --comment "Rule added by Bitninja" -j HEIMDALL-PROXY-FILTER
-A HEIMDALL-PROXY-FILTER -d 1.2.3.4/32 -p tcp -m comment --comment "Rule added by Bitninja" -m set --
match-set heimdall-proxy-list-net src -m tcp --dport 80 -j DNAT --to-destination 1.2.3.4:60416
-A HEIMDALL-PROXY-FILTER -d 1.2.3.4/32 -p tcp -m comment --comment "Rule added by Bitninja" -m set --
match-set heimdall-proxy-list-net src -m tcp --dport 443 -j DNAT --to-destination 1.2.3.4:60417

tcp 0 0 0.0.0.0:60413 0.0.0.0:* LISTEN 24832/haproxy
tcp 0 0 0.0.0.0:60414 0.0.0.0:* LISTEN 24832/haproxy
tcp 0 0 0.0.0.0:60415 0.0.0.0:* LISTEN 24832/haproxy
tcp 0 0 0.0.0.0:60416 0.0.0.0:* LISTEN 24832/haproxy
tcp 0 0 0.0.0.0:60417 0.0.0.0:* LISTEN 24832/haproxy
tcp 0 0 127.0.0.1:1936 0.0.0.0:* LISTEN 24832/haproxy
tcp6 0 0 :::60413 :::* LISTEN 24832/haproxy
tcp6 0 0 :::60414 :::* LISTEN 24832/haproxy
tcp6 0 0 :::60415 :::* LISTEN 24832/haproxy
tcp6 0 0 :::60416 :::* LISTEN 24832/haproxy
tcp6 0 0 :::60417 :::* LISTEN 24832/haproxy
  • 60413: Captcha HTTPS frontend
  • 60414: WAF HTTPS frontend
  • 60415: WAF HTTP frontend
  • 60416: Trusted Proxy HTTP frontend
  • 60417: Trusted Proxy HTTPS frontend