Solved

iptables to block high level domain access for webdav worm hosts.

Posted on 2004-04-08
2
969 Views
Last Modified: 2012-08-14
Guys,

I'm new to iptables, so need your help.
Like many over the last few weeks, my apache access log file has grown considerably due to an IIS webdav worm. I know that this is harmless as I run on SuSE9.0. However it is proving an annoyance to any monitoring of my logfiles. So I have stripped out the addresses from the access.log file (I have my logs revolved monthly by cronolog) with:

OUTPUT=/usr/local/bin/block_list.txt
INPUT=/var/log/httpd/200?/*/access.log

cat $INPUT |sed -e '/x90/!d' |awk -F " - - " '{print $1}' > $OUTPUT

As most of the worm hit come from my ISP domain I want to block all of the range. So the results I'm typically seeing are:

host217-42-254-237.range217-42.btcentralplus.com
218.95.191.148
218.85.183.10
host217-42-205-223.range217-42.btcentralplus.com
host217-42-111-83.range217-42.btcentralplus.com
cp259378-a.landg1.lb.home.nl
host217-42-37-97.range217-42.btcentralplus.com
host217-42-17-177.range217-42.btcentralplus.com
host217-42-42-47.range217-42.btcentralplus.com
host217-42-200-189.range217-42.btcentralplus.com
host217-42-110-154.range217-42.btcentralplus.com

So a block of anything beneath 217.42 would work best. At least this will drop most of the offenders, and I can deal with the rest with an answer with was posted here eariler:

#!/bin/bash
if [ -f block_list.txt ]
then
        for BAD_IP in `cat block_list.txt`
        do
                iptables -D INPUT -s $BAD_IP -j DROP
        done
else
        echo "Can't read block_list.txt"
fi

if [ -f block_list.txt ]
then
        for BAD_IP in `cat block_list.txt`
        do
                iptables -A INPUT -s $BAD_IP -j DROP
        done
else
        echo "Can't read block_list.txt"
fi

Otherwise, I know these accesses are all SEARCH based. I Have my apache locked down to respond only to GET and POST (with limit, LimitExcept etc..), but these still get through. Is there anyway to completely block SEARCH?

Many thanks for your help

Da Prof
0
Comment
Question by:prof666
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 9

Accepted Solution

by:
Alf666 earned 130 total points
ID: 10783087
You could use the ipt_string matching module, but it might be a little intensive for your kernel.

iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 --dport 80 -m string --string "SEARCH"
0
 
LVL 6

Author Comment

by:prof666
ID: 10783395
Will try that one out...and post results. Have also Modified it to block CONNECT as well.

Thx
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question