View Categories

Blocking a known malicious actor

3 min read

Overview #

This guide demonstrates how to prevent malicious IP addresses from accessing web servers using Argus. In this example, Apache web servers are set up on Ubuntu and Windows machines, and attempts to connect are made from a Red Hat Enterprise Linux (RHEL) machine acting as the attacker.

A public IP reputation database is used to identify and block malicious actors. The RHEL machine’s IP address is added to this database, and Argus is configured to block the malicious IP for 60 seconds. This setup leverages Argus’s CDB list and Active Response features to deter malicious activity effectively.

System Setup #

Endpoint Roles #

RHEL 9.0 – Simulates an attacker. Its IP is flagged as malicious using Argus’s CDB list capability.

Ubuntu 22.04 – Hosts an Apache web server. Argus’s Active Response is used to block connections from malicious actors.

Windows 11 – Hosts an Apache web server. Argus’s Active Response is used to block connections from malicious actors.

Step-by-Step Instructions #

Setting up the Ubuntu Web Server #

1. Install Apache:

2. Enable Web Access Through Firewall:

3. Verify Apache is Running:

4. Test the Web Server:

   Use a browser or curl command:

5. Monitor Logs with Argus Agent:

   Add this to /var/ossec/etc/ossec.conf :

6. Restart Argus Agent:

Configuring the Windows Web Server #

Install Apache #

1. Install Visual C++ Redistributable.

2. Download and extract the Apache ZIP installer.

3. Copy the Apache24 folder to C:.

4. Start Apache using an administrator PowerShell terminal:

   .\httpd.exe

5. Allow firewall access and verify by opening http://<WINDOWS_IP> in a browser.

Configure Argus Agent #

1. Edit ossec.conf in the agent’s directory:

2. Restart the agent:

Argus Manager Setup #

Configuring CDB List #

1. Install wget:

2. Download IP Reputation Database:

3. Add Attacker IP:

4. Convert IP List to CDB Format:

5. Set File Permissions:

Setting Up Active Response #

1. Define Rules in local_rules.xml:

2. Link the CDB List in ossec.conf:

3. Configure Active Response for Ubuntu:

4. Configure Active Response for Windows:

5. Restart Argus Manager:

Testing the Setup #

1. From the RHEL machine, access the web servers:

2. Verify that initial connections succeed but subsequent attempts are blocked for 60 seconds.

Viewing Alerts #

1. Access the Argus dashboard.

2. Navigate to Threat Hunting and search:

   – Ubuntu: rule.id:(651 OR 100100)

   – Windows: rule.id:(657 OR 100100)

Leave a Reply

Your email address will not be published. Required fields are marked *