Solved

iptables to block high level domain access for webdav worm hosts.

Posted on 2004-04-08
2
958 Views
Last Modified: 2012-08-14
Guys,

I'm new to iptables, so need your help.
Like many over the last few weeks, my apache access log file has grown considerably due to an IIS webdav worm. I know that this is harmless as I run on SuSE9.0. However it is proving an annoyance to any monitoring of my logfiles. So I have stripped out the addresses from the access.log file (I have my logs revolved monthly by cronolog) with:

OUTPUT=/usr/local/bin/block_list.txt
INPUT=/var/log/httpd/200?/*/access.log

cat $INPUT |sed -e '/x90/!d' |awk -F " - - " '{print $1}' > $OUTPUT

As most of the worm hit come from my ISP domain I want to block all of the range. So the results I'm typically seeing are:

host217-42-254-237.range217-42.btcentralplus.com
218.95.191.148
218.85.183.10
host217-42-205-223.range217-42.btcentralplus.com
host217-42-111-83.range217-42.btcentralplus.com
cp259378-a.landg1.lb.home.nl
host217-42-37-97.range217-42.btcentralplus.com
host217-42-17-177.range217-42.btcentralplus.com
host217-42-42-47.range217-42.btcentralplus.com
host217-42-200-189.range217-42.btcentralplus.com
host217-42-110-154.range217-42.btcentralplus.com

So a block of anything beneath 217.42 would work best. At least this will drop most of the offenders, and I can deal with the rest with an answer with was posted here eariler:

#!/bin/bash
if [ -f block_list.txt ]
then
        for BAD_IP in `cat block_list.txt`
        do
                iptables -D INPUT -s $BAD_IP -j DROP
        done
else
        echo "Can't read block_list.txt"
fi

if [ -f block_list.txt ]
then
        for BAD_IP in `cat block_list.txt`
        do
                iptables -A INPUT -s $BAD_IP -j DROP
        done
else
        echo "Can't read block_list.txt"
fi

Otherwise, I know these accesses are all SEARCH based. I Have my apache locked down to respond only to GET and POST (with limit, LimitExcept etc..), but these still get through. Is there anyway to completely block SEARCH?

Many thanks for your help

Da Prof
0
Comment
Question by:prof666
2 Comments
 
LVL 9

Accepted Solution

by:
Alf666 earned 130 total points
ID: 10783087
You could use the ipt_string matching module, but it might be a little intensive for your kernel.

iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 --dport 80 -m string --string "SEARCH"
0
 
LVL 6

Author Comment

by:prof666
ID: 10783395
Will try that one out...and post results. Have also Modified it to block CONNECT as well.

Thx
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question