- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SQL Injection attacks
I have a client with a website behind a FortiGate 60D. I have IPS enabled in the inbound HTTP VIP and get alerted any time an external attack is detected. The last four days there is been an increasing number of HTTP.URI.SQL.Injection attempts. I came back to work today after the weekend and there were dozens of emails all containing multiple intrusion attempts. Most of these attempts are from a couple of IP addresses in Russia and Poland. I'm wondering if there is a way to create a blacklist of IP addresses and block particular IP addresses. I tried creating a topmost rule to block IP addresses but it doesn't work which I assume is due to the VIP rules. Any ideas how I can outright block Internet IP addresses from accessing my VIPs?
Andre
Solved! Go to Solution.
- Labels:
-
Web Application Firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a policy on top of all policies, where the destination is
all VIP and the source all ip's that we want to block, something like that:
You can create an Geography object to block all the ip's of a country
and use this object in the source policy:
With this we already block ip's with VIP but may be an opportunity to
sell a FortiWeb.
Regards!!
Bernardo
On 07/16/2017 05:02 PM, Andre Hannah via Application Security/WAF: wrote:
>
> I have a client with a website behind a FortiGate 60D. I have IPS
> enabled in the inbound HTTP VIP and get alerted any time an external
> attack is detected. The last four days there is been an increasing
> number of HTTP.URI.SQL.Injection attempts. I came back to work today
> after the weekend and there were dozens of emails all containing
> multiple intrusion attempts. Most of these attempts are from a couple
> of IP addresses in Russia and Poland. I'm wondering if there is a way
> to create a blacklist of IP addresses and block particular IP
> addresses. I tried creating a topmost rule to block IP addresses but
> it doesn't work which I assume is due to the VIP rules. Any ideas how
> I can outright block Internet IP addresses from accessing my VIPs?
>
> Andre
>
>
> -----End Original Message-----
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a policy on top of all policies, where the destination is
all VIP and the source all ip's that we want to block, something like that:
You can create an Geography object to block all the ip's of a country
and use this object in the source policy:
With this we already block ip's with VIP but may be an opportunity to
sell a FortiWeb.
Regards!!
Bernardo
On 07/16/2017 05:02 PM, Andre Hannah via Application Security/WAF: wrote:
>
> I have a client with a website behind a FortiGate 60D. I have IPS
> enabled in the inbound HTTP VIP and get alerted any time an external
> attack is detected. The last four days there is been an increasing
> number of HTTP.URI.SQL.Injection attempts. I came back to work today
> after the weekend and there were dozens of emails all containing
> multiple intrusion attempts. Most of these attempts are from a couple
> of IP addresses in Russia and Poland. I'm wondering if there is a way
> to create a blacklist of IP addresses and block particular IP
> addresses. I tried creating a topmost rule to block IP addresses but
> it doesn't work which I assume is due to the VIP rules. Any ideas how
> I can outright block Internet IP addresses from accessing my VIPs?
>
> Andre
>
>
> -----End Original Message-----
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Bernardo
It's obvious now you point it out. I've just tested it and it's working well.
Thanks for your help.
Andre
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also configure a blackhole for the IP of the attacker
config router static
edit 0
set blackhole enable
set comment "Threat-IP-Detect"
set distance 100
set dst XXX.XXX.XXX.XXX 255.255.255.255
next
end
Leandro Vilela
Brazil-Brasilia
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Another way to do it is to have your IPS profile quarantine the IP adress of the attacker. You can choose the individual action if the signature to you can set Quarantine for the injection. Juste be sure you don't have false positives because you will block legitimate traffic. Since IPS is not a WAF, it might have more false positives. Be carefull.
It is always a good thing to have you system kick out bad guys because maybe you catch this attack but the next one will pass and harm you. As soon as someone is playing with you, kick him out !
![](/skins/images/EC9FF2F7BE06D4243426EA19DD2C8052/responsive_peak/images/icon_anonymous_message.png)