Forum
Notifications
Clear all
Topic starter
30/11/2024 11:06 am
How can the SKUDONET WAF can be configured to block not allowed domain emails? We have a registration form in our websites and we don't want to allow Outlook, Gmail and other domains
30/11/2024 12:42 pm
Good day, I assume, your webpage is using a form with two fields, email and password , commonly this form information is sent by POST, so:
Create a simple file in the SKUDONET Open Source Load Balancer web GUI, lateral menu, IPDS > WAF > Files, with some descriptive name, in my test I have used this file:
https://github.com/MattKetmo/EmailChecker/blob/master/res/throwaway_domains.txt
Copy the content and create a Data file with the name throwaway_domains, by default a file with the name throwaway_domains.data is generated in the path /usr/local/skudonet/config/ipds/waf/sets/
-Now create a WAF file with type "Ruleset" in lateral menu, IPDS > WAF > Files, with a descriptive name reject-bad-email-domains and the following content:
SecRuleEngine on
SecDefaultAction "pass,log,auditlog,logdata:'client:%{REMOTE_ADDR}',phase:1"
SecDefaultAction "pass,log,auditlog,logdata:'client:%{REMOTE_ADDR}',phase:2"
SecDefaultAction "pass,log,auditlog,logdata:'client:%{REMOTE_ADDR}',phase:3"
SecDefaultAction "pass,log,auditlog,logdata:'client:%{REMOTE_ADDR}',phase:4"
SecRule ARGS.email "@pmFromFile throwaway_domains.data" \
"id:99200000,\
phase:2,\
deny,\
t:none,t:cmdLine,\
msg:'SKUDONET Bad domains in form',\
logdata:'Received Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
ver:'skd-v1.0'" #
The rule is described below:
SKUDONET WAF will check the POST field in phase2 (Request Body) with the name email inside the content of the file throwaway_domains.data, if there is a match then a deny will be replied adding information to the syslog /var/log/syslog.
id: select a number between 99,200,000-99,209,999, this range is reserved for SKUDONET by Modsecurity.
ARGS.email: it is the field name in the form where is sent the email we want to protect.
throwaway_domains.data: is the file where the not allowed domains are saved.
deny: the default action if the rule is triggered.
Save the rule, a new rule with the name reject-bad-email-domains will be shown in IPDS > WAF > Rulesets. select the rule and apply an Start action, go to the farm that you want to protect, Tab IPDS, search this new rule and apply this rule to the farm to start protecting.
Check the rule with the following curl:
curl https://FARM_IP/ -k -X POST --form 'email=user@30wave.com' SKUDONET WAF replied forbidden
if the rule is triggered, the SKUDONET logs in /var/log/syslog show something like this:
2024-11-30T12:30:39.300144+01:00 skdce701 pound: proxy, [WAF,service local, backend 192.168.1.145:443,] (7f3bf5fbe6c0) [client 192.168.1.145] SKUDONET ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `PmFromFile' with parameter `throwaway_domains.data' against variable `ARGS:email' (Value: `user@30wave.com' ) [file "/usr/local/skudonet/config/ipds/waf/sets/reject-bad-email-domains.conf"] [line "13"] [id "99200000"] [rev ""] [msg "Bad domains in form"] [data "Received Data: found within ARGS:email: user@30wave.com"] [severity "0"] [ver "skdv1.0"] [maturity "0"] [accuracy "0"] [hostname "192.168.1.136"] [uri "/"] [unique_id "173296623978.462650"] [ref "o5,10v270,15t:cmdLine"] 2024-11-30T12:30:39.301323+01:00 skdce701 pound: proxy, service local, backend 192.168.1.145:443, (7f3bf5fbe6c0) WAF denied a request from 192.168.1.145
Any change in the throwaway_domains.data requires a restart of the rule but this restart doesn't affect to production.
