⚠️ Pracivo Security Lab — Blue team skills: log analysis, incident response, SIEM, firewall rules, IDS, threat hunting.
Firewall Rule Writing
# IPTABLES (Linux)
# Block a specific attacking IP:
iptables -A INPUT -s 185.220.101.45 -j DROP
# Block all incoming except specific ports:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # HTTP
iptables -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS
iptables -A INPUT -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT # SSH internal only
# Rate limiting (brute force protection):
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
# Block SQL injection patterns (basic):
iptables -A INPUT -p tcp --dport 80 -m string --string "UNION SELECT" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 80 -m string --string "../etc/passwd" --algo bm -j DROP
# Log and drop port scans:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL SCAN: "
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# AWS SECURITY GROUPS (cloud equivalent):
# Allow HTTPS from anywhere:
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 443 --cidr 0.0.0.0/0
# Allow SSH from office IP only:
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr 203.0.113.0/32
# NGINX rate limiting:
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
location /login {
limit_req zone=login burst=10 nodelay;
}