nginx 1.15.2 開始支援單一 Port 多服務...

nginx 的新功能,單一 port 支援多服務:「Running SSL and Non-SSL Protocols over the Same Port with NGINX 1.15.2」,最常見的還是混搭 SSH 了:

One key feature in this release is the new $ssl_preread_protocol variable, which allows you to distinguish between SSL/TLS and other protocols when forwarding traffic using a TCP (stream) proxy. This is useful if you want to avoid firewall restrictions by (for example) running SSL/TLS and SSH services on the same port.

雖然 L7 firewall 還是可以看出來 (並且擋下),但簡易的 firewall 就可以用這個方式穿過去了...

macOS 上管制對外連線的 LuLu

看到「LuLu」這個軟體,可以在 macOS 上管制對外連線:

LuLu is the free open-source macOS firewall that aims to block unknown outgoing connections, unless explicitly approved by the user.

需要 10.12+ 的版本,目前阻擋的畫面長這樣 (目前還是 alpha 版):

這類產品讓我想到大學時還有在用的防火牆軟體... XD

程式碼在 objective-see/LuLu 這邊,軟體授權用了少見的 CC BY-NC 4.0 授權,由於限制商業使用,這不算是 open source license (雖然產品頁面上這樣宣稱)。有空來找看看有沒有替代品好了...

AWS WAF 提供隨時更新的 Managed Rules

AWS WAF 推出了隨時更新的 Managed Rule:「Ready-to-Use Managed Rules Now Available on AWS WAF」。

這些 ruleset 是由 3rd-party 提供的:

Choose from preconfigured RuleGroups provided in the AWS Marketplace by industry leading security experts: Alert Logic, Fortinet, Imperva, Trend Micro and TrustWave.


Rules are automatically updated as new threats emerge and offer a wide range of protections, including OWASP Top 10 mitigations, bad-bot defenses, and virtual patching against recent CVE’s.


Each RuleGroup is the product of a Seller’s unique expertise, made available to you at an affordable pay-as-you-go price.

AWS Marketplace 的「Managed Rules for AWS WAF - Web Application Firewall」裡拿兩家來看看。

趨勢的「Trend Micro Managed Rules for AWS WAF - WebServer (Apache, Nginx)」與「Trend Micro Managed Rules for AWS WAF - Content Management System (CMS)」都是:

Charge per month in each available region (pro-rated by the hour) $5.00 / unit
Charge per million requests in each available region $0.20 / unit

Imperva 則是提供不一樣的選擇,在「Imperva - Managed Rules for WordPress Protection on AWS WAF」是:

Charge per month in each available region (pro-rated by the hour) $30.00 / unit
Charge per million requests in each available region $0.60 / unit

而「Imperva - Managed Rules for IP Reputation on AWS WAF」則是:

Charge per month in each available region (pro-rated by the hour) $40.00 / unit
Charge per million requests in each available region $0.40 / unit

AWS WAF 支援 Regex (PCRE)

首先是 AWS WAF 支援 Regex 了:「AWS WAF Now Supports Regular Expressions (Regex)」。

而且是以 PCRE 版本為主:

AWS WAF supports most of the standard Perl Compatible Regular Expressions (PCRE).

這樣設定變得方便很多啊,大家都算熟 regex,而且也夠強大...

另外一個公告是 AWS WAF 可以將地區的當條件進行設定了:「AWS WAF Now Supports Geographic Match」。

除了針對某些地區擋掉或是開放以外,也可以針對不同地區設定 rate limit。當條件設定就是了... 將要關閉 FTP 服務 將關閉 FTP 服務:「Shutting down FTP services」。

三月將關閉,而 12 月將關閉。現在透過 HTTP 更新已經是主流了,對於 firewall 設定與 cache 都有比較好的支援。

Cisco 與 Fortinet 防火牆的 RCE 漏洞

NSA 使用這些漏洞來大量監聽企業的流量:「Leaked Exploits are Legit and Belong to NSA: Cisco, Fortinet and Snowden Docs Confirm」。

Cisco 已經確認這個安全性漏洞了,全系列包括已經停產的 Cisco PIX、上個世代的 Cisco ASA 5500 (但還有些型號還在賣),以及目前主力的 Cisco ASA 5500-X,另外還包括了安全模組系列也中獎:「Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability」。

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 4100 Series
  • Cisco Firepower 9300 ASA Security Module
  • Cisco Firepower Threat Defense Software
  • Cisco Firewall Services Module (FWSM)*
  • Cisco Industrial Security Appliance 3000
  • Cisco PIX Firewalls*


Cisco Firewall Service Modules and Cisco PIX Firewalls have passed the last day of software support milestone as stated in the published End of Life (EoL) documents. Further investigations into these devices will not be performed, and fixed software will not be made available.

這次 Cisco 的安全性問題是 SNMP 的洞造成的:

Administrators are advised to allow only trusted users to have SNMP access and to monitor affected systems using the snmp-server host command.

這個洞被 NSA 用來寫 exploit 植入系統:

This flaw was included inside two NSA exploits, dubbed EPICBANANA as well as JETPLOW, which is an enhanced version of EPICBANANA, but with better persistence capabilities, Cisco's Omar Santos said in a blog post.

在 NSA 洩漏出來的文件裡可以看到 ace02468bdf13579 這個特殊辨識字串,而在受感染的樣本上也找到了這個痕跡:

而且不只是 Cisco,其他幾家也中獎了,可以參考「The NSA Leak Is Real, Snowden Documents Confirm」這邊更多的資訊 @_@

DigitalOcean 提供 Floating IP 功能

DigitalOcean 推出的新功能,可以註冊 IP 並且動態掛到某個 droplet 上:「Floating IPs: Start Architecting Your Applications for High Availability」。

如果沒有掛到 droplet 上會收取 USD$0.006/hour 的費用,以一個月 720 小時來計算,大約是 USD$4.32/month。另外也限制在同一個 data center 內才能換來換去。

類似的功能在 Linode 很久前就有了 (2007 年底),雖然不是完全一樣:「Support for High Availability / IP Failover」,但 Amazon EC2 的 Elastic IP 功能幾乎就相同了,在 2008 年初開放:「New EC2 Features: Static IP Addresses, Availability Zones, and User Selectable Kernels」,所以只能算是補產品線,把大家都有的功能實作出來...

以往只能用 DNS 做 High Availability 的,現在可以用這種方法做,使得 downtime 可以更低。另外這樣做也可以架設 proxy server,使得對外的 IP 不變,讓 firewall 設定變得單純。

AWS WAF (Web Application Firewall)

Amazon 推出了 AWS WAF,也就是 Web Application Firewall:「New – AWS WAF」。

架構在 CloudFront 上的安全服務,可以想像到會依照 request 數量收費外,rule 本身也要收費,不太便宜的感覺:

AWS WAF is available today anywhere CloudFront is available. Pricing is $5 per web ACL, $1 per rule, and $0.60 per million HTTP requests.

這個收費標準看起來不像是會把 ModSecurity 預設的 rule 丟進去養... 不過 WAF 主要是用在對軟體主體沒有修改能力時的替代方案 (沒有 source code,或是線上服務緊急需要防堵),以這個角度來看的話好像還好?

另外一點也許可以找人問問看,WAF 不是設計在 ELB 上,算是策略考量嗎?

用 Intel 網卡上的 Flow Director 過濾封包

在「Traffic filtration using NIC capabilities on wire speed (10GE, 14Mpps)」這邊看到的技巧。

作者建議另外安裝 driver,因為 Linux kernel 內的 driver 功能有限:「Intel Ethernet Drivers and Utilities」。

重點在 ethtool 這個工具,可以看到條件設定:

ethtool --help:
        ethtool -N|-U|--config-nfc|--config-ntuple DEVNAME    Configure Rx network flow classification options or rules
        rx-flow-hash tcp4|udp4|ah4|esp4|sctp4|tcp6|udp6|ah6|esp6|sctp6 m|v|t|s|d|f|n|r... |
        flow-type ether|ip4|tcp4|udp4|sctp4|ah4|esp4
            [ src %x:%x:%x:%x:%x:%x [m %x:%x:%x:%x:%x:%x] ]
            [ dst %x:%x:%x:%x:%x:%x [m %x:%x:%x:%x:%x:%x] ]
            [ proto %d [m %x] ]
            [ src-ip %d.%d.%d.%d [m %d.%d.%d.%d] ]
            [ dst-ip %d.%d.%d.%d [m %d.%d.%d.%d] ]
            [ tos %d [m %x] ]
            [ l4proto %d [m %x] ]
            [ src-port %d [m %x] ]
            [ dst-port %d [m %x] ]
            [ spi %d [m %x] ]
            [ vlan-etype %x [m %x] ]
            [ vlan %x [m %x] ]
            [ user-def %x [m %x] ]
            [ action %d ]
            [ loc %d]] |
        delete %d

看起來 stateless 的過濾可以在上面做...

m0n0wall 的終結

m0n0wall 算是元老級的 firewall 套件,看到「End of the m0n0wall project」這個消息還是有點感慨啊...

有很多類似的 project 興起取代掉了 m0n0wall 的位置 (像是 pfSense),這讓我想到前陣子 esr 在「Defending GCC considered futile」提到 GCC 的沒落時講的話:

Obsolescence happens; this is nobody's fault. It will happen to clang/LLVM someday, too, but today is not that day.