Re: IPtables rules to block by symbolic host name, not IP ?
From: Chris Lowth (please@no.spam)
Date: 04/22/03
- Next message: ALIEN: "TCPA FOR LINUX"
- Previous message: Chris Lowth: "Re: deleting files with linux"
- In reply to: Kasper Dupont: "Re: IPtables rules to block by symbolic host name, not IP ?"
- Next in thread: Kasper Dupont: "Re: IPtables rules to block by symbolic host name, not IP ?"
- Reply: Kasper Dupont: "Re: IPtables rules to block by symbolic host name, not IP ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Chris Lowth <please@no.spam> Date: Tue, 22 Apr 2003 15:13:05 +0100
Kasper Dupont wrote:
> Somebody wrote:
>>
>> The following lines kill off the various windows attacks that I know of:
>> iptables -A INPUT -m string --string 'default.ida' -p tcp --dport 80 -j
>> DROP iptables -A INPUT -m string --string 'winnt' -p tcp --dport 80 -j
>> DROP iptables -A INPUT -m string --string 'root.exe' -p tcp --dport 80 -j
>> DROP iptables -A INPUT -m string --string 'vti_inf' -p tcp --dport 80 -j
>> DROP
>
> Sounds like a very bad piece of advice. The TCP connections has been
> established, you are going to get quite some retries and stalling
> connections. And you might as well have false positives if the strings
> are eventually used in legitimate requests. Using
> "-j REJECT --reject-with tcp-reset" might be a better choice, but I
> guess you are only breaking the connection on the client side. The
> server will probably still have a stalled connection.
>
Since these attacks are Windows/IIS related ones and you are using a Linux
server (I assume: apache), why not positively ALLOW the attacks - and
provide CGI scripts called "default.ida", "root.exe" and so on, and arrange
for them to set up an iptables rule to block the address on the fly (block
the SYN only, so that the current connection can terminate quietly).
Or: script a parse of the log files (that's what I do). A few lines of perl
can be used to build iptables rules to block IPs that consistantly access
certain URLs.
Alternatively - consider that these attacks cant harm you and simply ignore
them (you can even tell apache not to log such URLs).
Chris
-- My real address is: chris at lowth dot sea oh em -> OpenSource e-mail virus protection : http://protector.sourceforge.net -> iptables configuration wizards : http://www.lowth.com/LinWiz
- Next message: ALIEN: "TCPA FOR LINUX"
- Previous message: Chris Lowth: "Re: deleting files with linux"
- In reply to: Kasper Dupont: "Re: IPtables rules to block by symbolic host name, not IP ?"
- Next in thread: Kasper Dupont: "Re: IPtables rules to block by symbolic host name, not IP ?"
- Reply: Kasper Dupont: "Re: IPtables rules to block by symbolic host name, not IP ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
