BanMoron - a tool to actively protect the WEB-server from hacking

- Probably again about the blockchain, only in profile?

- And here they did not guess! This time - nothing about the blockchain, nor about Emercoin ! In the end, we have the right to do anything besides the main project!

And this time we did a utility to protect the web server from the ubiquitous culhackers, who constantly try to upload an exploit to the web site and get unauthorized access to the server, so that later on your site you can deal with all kinds of indecent acts. That's about this utility called BanMoron and will be discussed below.

BanMoron is a small program (the source is smaller than the text of this article), written in C, and designed to effectively counter attempts to hack a WEB-server by using standard vulnerabilities of WEB-systems like Wordpress , PhpMyAdmin and the like.

The algorithm of the program is simple:

1. The program is placed under the WEB server as a 404 error handler (page not found). That is, an attempt by a hacker to gain access to a nonexistent page or script will launch this program.
   ')
   
2. After launch, the program analyzes the client request string (REQUEST_URI), and looks for pattern substrings in it that correspond to attempts to gain access to certain resources for hacking the system (such as setup.php).
   
   
3. In the case of finding any substring-pattern, the program uses a particular countermeasure module associated with this pattern. If no template is found, the program simply displays a standard page containing the text of the 404 error.

The following countermeasure modules are currently implemented:

1. ban_moron_pf - adds the client's IP address to the pf firewall blocking table. As a result, the hacker's IP is blacklisted, and all requests from this IP are ignored. In order to avoid overflowing the list, IPs are daily deleted from it, from which there have been no more attempts to connect to the server for the last 3 days. Removal is done by a command from crontab, an example of such for pf will result in the file pf.crontab.
   
   
2. zip_bomb - in response to a request to send a ZIP bomb - an infinite file stream that looks like a heavily compressed html file with infinite nesting of tables. Intended to exhaust the attacking machine’s resource and disable the attacking script. Unfortunately, at present this thing has low efficiency, since, if you look at the source code of malware, you can see that CURL is used there with might and main, which the zip stream simply does not unpack. But for fans to manually download the bitcoin wallet browser, this thing is still good.
   
   
3. zip_ban is the combination of the first two. It first sends a zip-bomb, and then bans IP.

When designing the program, a modular approach was used, which allows you to easily add both new rules templates and countermeasure modules to it.

The program itself is lightweight, the binary takes up only 6 kilobytes (probably everyone has already forgotten about such program sizes), and requires only one shared libc library. Thus, when using it, the performance of the WEB server is not observed in comparison with the HTML page 404.

To improve performance, when comparing the REQUEST_URI string with rule patterns, Rabin-Karp algorithm is used, which allows to compare the string with a set of patterns in one pass, O (N) . Universal hashing makes it almost impossible to create a specially selected REQUEST_URI string that reduces the efficiency of the hash function.

Below are answers to common questions:

- Why is the name of the program - BanMoron?
- Because, as the name implies, the main purpose of the program is to keep all idiots away from working servers, so God forbid that they do not break anything.

- Why do you call hackers assholes?
- Because these “hackers” are assholes. They take a ready-made script that someone once wrote, and they don’t even bother to at least diversify it, there’s not enough mind for that. And the structure of the requests shows that the script is used. It begs a direct analogy with the street "activists" who somewhere find reinforcement, and then beat the glass on the first floor. The intellectual level of both classes is about the same.

- And why your program is better fail2ban ?
- Fail2ban takes a different approach. He is constantly running a process (daemon) that monitors logs, and it finds an activity template for him, and then bans the corresponding IP. For a fail2ban reaction, it must detect activity, that is, process multiple requests.

Considering that Apache buffers writing to the log, and reading from the log is far from instantaneous, fail2ban has a response delay of a few seconds. In addition, several 404 events must pass before fail2ban can detect activity and react. At the present time, the developers of the exploits also do not sit idly by, and versions are already appearing that make many parallel requests to the victim - probably, just to have time to implement the exploit before the fail2ban reacts. In addition, fail2ban is a script in an interpreted language, that is, the Python interpreter is constantly kept in memory, which also does not add to it either speed or resource saving. BanMoron runs only at the moment when something needs to be done, and does not take over system resources all the time. And bans hacker on his first request. Efficiency on top!

- Why is your program written in C?
- There are several reasons for this:

1. Raising priority through S-bits can only be done for a binary program. When using the interpreter, the S-bit is ignored. And it is needed to raise the privileges from www to root to add IP to the morons ban table.
2. The compiled binary program is the easiest to run, and does not pull the launch of the interpreter, which pulls after itself a bunch of shared libraries.
3. The C language is a classic language in all OCs, and everywhere it definitely is.

- Why are the rules crammed directly into the program code? Perhaps, they should be carried out in a config-file?
- And then how can the program indicate where to get this very config? WEB-server does not allow transferring the configuration parameter “from itself” to the program. You can of course tie to the case mod_rewrite , and the parameter to forward through QUERY_STRING , or do something like that. But such a solution seems to us to be “spreading” in terms of administration, and ineffective in the process of work. Well, it’s necessary to read .htaccess, run mod_rewrite, edit the line, then the program should open the file and read it ... In general, the situation resembles the reaction of the admiral from the movie “Hotheads”: Deploy an aircraft carrier, my cap overboard flew away, pick up. It seems to us not worth it.

- Why is some pf used as a firewall?
“Because the program was developed on FreeBSD, and there the default firewall is exactly pf, which suits us completely . If you want the program to work with iptables or another firewall of yours - write the appropriate modules (handler, and examples of configs), make a pull request on Github, and we will accept your contribution to the common cause. Humanity will be grateful to you.

- Where and under what conditions can I get the BanMoron program?
- You can download it from Emercoin 's GitHub repository and use it for free, since this program is OpenSource and is distributed under the BSD license.