• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1001
  • Last Modified:

iptables to block high level domain access for webdav worm hosts.

Guys,

I'm new to iptables, so need your help.
Like many over the last few weeks, my apache access log file has grown considerably due to an IIS webdav worm. I know that this is harmless as I run on SuSE9.0. However it is proving an annoyance to any monitoring of my logfiles. So I have stripped out the addresses from the access.log file (I have my logs revolved monthly by cronolog) with:

OUTPUT=/usr/local/bin/block_list.txt
INPUT=/var/log/httpd/200?/*/access.log

cat $INPUT |sed -e '/x90/!d' |awk -F " - - " '{print $1}' > $OUTPUT

As most of the worm hit come from my ISP domain I want to block all of the range. So the results I'm typically seeing are:

host217-42-254-237.range217-42.btcentralplus.com
218.95.191.148
218.85.183.10
host217-42-205-223.range217-42.btcentralplus.com
host217-42-111-83.range217-42.btcentralplus.com
cp259378-a.landg1.lb.home.nl
host217-42-37-97.range217-42.btcentralplus.com
host217-42-17-177.range217-42.btcentralplus.com
host217-42-42-47.range217-42.btcentralplus.com
host217-42-200-189.range217-42.btcentralplus.com
host217-42-110-154.range217-42.btcentralplus.com

So a block of anything beneath 217.42 would work best. At least this will drop most of the offenders, and I can deal with the rest with an answer with was posted here eariler:

#!/bin/bash
if [ -f block_list.txt ]
then
        for BAD_IP in `cat block_list.txt`
        do
                iptables -D INPUT -s $BAD_IP -j DROP
        done
else
        echo "Can't read block_list.txt"
fi

if [ -f block_list.txt ]
then
        for BAD_IP in `cat block_list.txt`
        do
                iptables -A INPUT -s $BAD_IP -j DROP
        done
else
        echo "Can't read block_list.txt"
fi

Otherwise, I know these accesses are all SEARCH based. I Have my apache locked down to respond only to GET and POST (with limit, LimitExcept etc..), but these still get through. Is there anyway to completely block SEARCH?

Many thanks for your help

Da Prof
0
prof666
Asked:
prof666
1 Solution
 
Alf666Commented:
You could use the ipt_string matching module, but it might be a little intensive for your kernel.

iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 --dport 80 -m string --string "SEARCH"
0
 
prof666Author Commented:
Will try that one out...and post results. Have also Modified it to block CONNECT as well.

Thx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now