UPDATE! With NetScaler Password Spraying attacks, I have added methods to block without IPREP, and a list of subnets that I have seen taking part with compromised devices. Also, info on how to gather info from NetScaler Console, and sort it with Excel for easier visibility.
So while enabling some new features on my NetScalers in my lab I noticed I was getting just HAMMERED with attacks. I setup some basic IP Reputation blocks with logging so I can see the bad actors. And let me tell you, there was a lot. This code is a simple security feature you can easily enable globally on your NetScalers with Premium licensing. Pair this with my Location based blocking examples and you effectively can silo off your environment from unwanted visitors.
enable ns feature Rep AppFw RESPONDER
add policy dataset Allow_list1 ipv4
add policy dataset Block_list1 ipv4
add audit messageaction IPREP_OR_BLOCKLIST WARNING "CLIENT.IP.SRC + \" was dropped because they are listed in either the IPREP Database or on the NetScaler Blocklist\"" -logtoNewnslog YES
add appfw policy Ip_Rep_Policy "((CLIENT.IP.SRC.IPREP_IS_MALICIOUS || CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Block_list1\")) && ! (CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Allow_list1\")))" APPFW_BLOCK -logAction IPREP_OR_BLOCKLIST
Just putty into your NetScalers and copy and paste the above code to be secured. This also will check datasets so you can block additional IP addresses, or relax connectivity for any address that might accidently be on the Reputation Block List. I have seen that when customer subnets for Internet Service Providers get dinged as malicious from viruses or botnets.
If your client DOESN’T have Premium licensing, you can use the following code to just use the BLOCK and ALLOW lists to restrict access to your site from compromised sites.
enable ns feature AppFw RESPONDER
add policy dataset Allow_list1 ipv4
add policy dataset Block_list1 ipv4
add audit messageaction IPREP_OR_BLOCKLIST WARNING "CLIENT.IP.SRC + " was dropped because they are listed in either the IPREP Database or on the NetScaler Blocklist"" -logtoNewnslog YES
add appfw policy Ip_Rep_Policy "((CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY("Block_list1")) && ! (CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY("Allow_list1")))" APPFW_BLOCK -logAction IPREP_OR_BLOCKLIST
To enable this for every VIP on the NetScaler, you can bind this globally.
bind appfw global Ip_Rep_Policy 100 END -type REQ_DEFAULT
To enable it for just certain VIPs, just bind it as an Appflow policy on the desired VIPs.
The following IP Subnets are from ISPs that have many compromised devices that I have taken to blocking. If you do have an individual user that is in these ranges, you can place them in the ALLOW list and that single IP will be able to get through.
bind policy dataset Block_list1 104.207.32.0 -endRange 104.207.63.255
bind policy dataset Block_list1 154.214.1.0 -endRange 154.214.1.255
bind policy dataset Block_list1 156.228.100.0 -endRange 156.228.119.255
bind policy dataset Block_list1 156.228.124.0 -endRange 156.228.125.255
bind policy dataset Block_list1 156.228.76.0 -endRange 156.228.99.255
To find IP addresses and ranges that are attacking you, enable Gateway Insight with Analytics to your NetScaler Console, and then access the following location to get these attacks.
You can export a report from here in tabular CVS format and then process it in Excel. First I will sort the entire list to show me just the “User not found” entries. I will then use the following Advanced Filter against the Client IP Address Field.
Then, once you have the shortened list, I will use the following formula to give me a count on the entries.
=COUNTIF(X:X,AJ2)
This gives you a good idea as to how many times an IP is failing the login.
It’s very easy to tell if someone is being blocked by this IP range, as they will receive a message like this on their browsers.
Also within the NetScaler Console you can view the Syslog messages that are generated when IPs are blocked by these policies. You can filter the log down to just WARNING messages and then do a search for IPREP or a client’s specific IP ADDRESS in the message field. This is helpful if you need to ALLOW a single IP from a range that you potentially have in the BLOCKED list.