I have 2 virtual machines. (Vmware esxi 6)
They are both opensuse 42.3 (tumbleweed)
- Firewall (iptables,ipset,dhcpd,dns only)
- mail/web server. (apache,dovecot,postfix)
The web server can not communicate with the firewall, except that the traffic passes through it to reach the mail/web server.
The firewall has a block list of IP address that it automatically adds to. However, it is relatively simple, and does not decode SMTP, IMAP, HTTP, or HTTPS. The second has its own protections for the fore-mentioned services, and has its own block list.
Now assume someone comprised my mail server they could easily delete my block list, and etc, but only from the mail server.
How do I have the mail/web server send its block lists to the firewall without breaking the separation between DMZ and everything else (or at least, to the smallest extent possible) in real time?
I don't want to use an external service, like upload to cloud, since they could DDOS me, and the list would be in accessible.
I thought about setting up a 3rd VM as an intermediary(private, but shared subnet separate network cards), but if they compromise the web server, what is to stop them from breaking into the intermediary machine, and then the firewall. If I did this what kind of protections can I implement to verify that a hacker isn't sending their own data through my channel(buffer overflow, or etc attack) instead of just the block list.
how you determine which IP should get blocked:
Generally, any bad behavior. Example all apache error calls have been tied to a php script. The php script logs the details to mysql. Eventually, I will have a full fledge scoring system in place. Each invalid thing you do increase your score, and certain things have higher scores.
For how long? Threshold based, but eventually forever. Score 100 points or whatever goodbye forever.
How you add the rules? ipset add bad_guys 1.2.3.4
if I feel generous I will add timeout ###### to that.