/web-shield

A simple and extremely effective firewall against 90+% of most web attack vectors

Primary LanguageShell

|\     /|(  ____ \(  ___ \      (  ____ \|\     /|\__   __/(  ____ \( \      (  __  \
| )   ( || (    \/| (   ) )     | (    \/| )   ( |   ) (   | (    \/| (      | (  \  )
| | _ | || (__    | (__/ /_____ | (_____ | (___) |   | |   | (__    | |      | |   ) |
| |( )| ||  __)   |  __ ((_____)(_____  )|  ___  |   | |   |  __)   | |      | |   | |
| || || || (      | (  \ \            ) || (   ) |   | |   | (      | |      | |   ) |
| () () || (____/\| )___) )     /\____) || )   ( |___) (___| (____/\| (____/\| (__/  )
(_______)(_______/|/ \___/      \_______)|/     \|\_______/(_______/(_______/(______/

Your first line of WEB defense against Internet bots, hacks and probes.

This is an IP-based blacklist of known sources for unsavory activity.  If you run a
legit web site that has no business serving bad actors, this will come in very handy.

If you run a web site where you don't want automated scripts that aren't serving YOUR
purposes, this will come in very handy.

If you don't need people using VPNs on your site (the lion's share of VPN activity are
attempts to hack/probe web sites), this will come in very handy.

Yea, yea, people say blacklists don't work.  They're wrong.  They do work.  Better than
most other systems. You can't hack what you can't reach, and if you're not doing any
web business with Chinese or Russian cloud providers, or some central American hosting
company that's checking for Wordpress vulnerabilities, or dozens of web spiders that have
no respect for robots.txt and are secretly copying your web site, or a cheap eastern 
European VPS company that accepts anonymous clients and crypto payments...

...why TF should they have access?

THAT'S why you should use Web-Shield.

A great stand alone filter, or compliment to the wonderful active 
firewall: Fail2Ban, that will make F2B even more efficient.

Also see our sister product: Login-Shield (https://github.com/DPsystems/Login-Shield

by Dark Phiber, 2019-2022 - dolson803@@gmail.com

# WHAT?
# =====

Web-Shield is a set of scripts that implements a traffic filter 
of your web server ports.

You may ask yourself, why and how should I bother filtering traffic
to my web sites?  I want as much traffic as possible, right?

Well, no, not really.  There are a lot of traffic that just wastes
bandwidth and exploits your system and content, and actively tries
to find vulnerabilities and ways into your system.  You do NOT 
want that.

If you want true, organic, real users visiting your web server, 
and not web scrapers, system probe scripts, and other automated
hacking scripts that do everything from register fake users to 
exploit forms for spamming, this is the system for you.

We also have identified certain hostile web spiders that you can
block. These are either private corporate data collection systems
or search engine bots that disregard robots.txt designations
and collect data that will likely never be of benefit to you.

Our blacklist is intended to be a specifically targetted IPv4-based blacklist
of major groups of Internet locations that are notorious for housing
the lion's share of nefarious HOSTING OPERATIONS that 99.9% of the time
have NO BUSINESS WHATSOEVER crawling your web site.

In addition to this, there are some optional blacklists that are a 
little more aggressive in filtering common spiders and userspace that
is filled with fraud and activity that is unlikely to be of benefit.

This system can by used by itself or (ideally) in association with
more precise anti-hacking systems like Login-Shield and Fail2Ban.  
With this large net in place, it reduces the resources Fail2Ban needs 
to only dealing with mostly local attacks from IP space you might not 
want to ban wholesale.

Types of IP space that is in the Web-Shield blacklist:

1.	Mainly overseas hosting/cloud space - NOT user IP space
2.	VPNs and commonly used TOR exit nodes that are cloud hosted
3.	A small group of foreign user IP space that typically isn't
        legitimate web traffic.  

The general rule for Web-Shield is:  

 If the traffic is coming from another server, and is not a real
 person, we don't want it.  The exceptions are spiders for common
 search engines, and important sites like Let's Encrypt which 
 needs to handshake with your server to verify and deploy SSL
 certificates.   

 We also avoid any of the large cloud providers like AWS and
 Cloudflare.  It's too hit-and-miss messing with them, and we
 don't want some legitiamte automated systems being blocked.

 We DO block a number of low-end, high-volume US hosting IP 
 space like: Colocrossing, Digital Ocean, etc.  This space is
 notorious for having compromised computers that try to hack and
 probe other systems.

It is recommended that if you have some of the mass-market cloud
provider servers needing to hit your server, you whitelist those
specific IPs.


However, the Web-Shield blacklist specifically includes VPN PROVIDERS!  

If you want to stop people who are using VPNs from accessing your
web site, Web-Shield can do that.  If you don't have a specific 
need to entertain VPN-based traffic we recommend you block it.

In our analysis, the vast majority of hack/attack vectors are
coming from VPN space.  


# WHY?
# ====

Every time a site is compromised, there's a chance lists of usernames
and passwords are leaked.  Hackers will take these lists and try to
find other systems that use these same credentials. If they can gain
access they can completely ruin your day (or year).  They will often
try to login to e-mail clients, ftp accounts, ssh services, etc.  
These system probes are now becoming even more sophisticated, and able
to recognize Fail2Ban trigger conditions and work around them.  Our
system stops approximately 90% of the attacks on most servers.

# HOW?
# ====

Web-shield is a very small set of IPTABLES rules that is designed
to block access primarily to web ports.

## See the file INSTALL for installation instructions

## See the file VERSION for version and developer notes

## See the files CHANGELOG or VERSION for information on changes and program versions and developer notes

# ADDITIONAL NOTES
# ================

Specific systems web-shield is blocking - add your thoughts as to whether or not this is appropriate?

* Petalbot - a very aggressive Asian web crawler

* Awario.com - a commercial service that lets companies know if their products are being talked about
               on social media - presumably so they can do damage control

* semrush.com - another commercial service and private "business intelligence service" that probably
                only benefits other companies and not yours

* censys.com - another private, corporate audit of web space, presumably to "manage attack space",
               supposedly a "white hat database of vulnerable sites" which obviously makes a great
               target for black hat ops, so we don't want to be in their system.