?
Solved

iptables to block high level domain access for webdav worm hosts.

Posted on 2004-04-08
2
Medium Priority
?
987 Views
Last Modified: 2012-08-14
Guys,

I'm new to iptables, so need your help.
Like many over the last few weeks, my apache access log file has grown considerably due to an IIS webdav worm. I know that this is harmless as I run on SuSE9.0. However it is proving an annoyance to any monitoring of my logfiles. So I have stripped out the addresses from the access.log file (I have my logs revolved monthly by cronolog) with:

OUTPUT=/usr/local/bin/block_list.txt
INPUT=/var/log/httpd/200?/*/access.log

cat $INPUT |sed -e '/x90/!d' |awk -F " - - " '{print $1}' > $OUTPUT

As most of the worm hit come from my ISP domain I want to block all of the range. So the results I'm typically seeing are:

host217-42-254-237.range217-42.btcentralplus.com
218.95.191.148
218.85.183.10
host217-42-205-223.range217-42.btcentralplus.com
host217-42-111-83.range217-42.btcentralplus.com
cp259378-a.landg1.lb.home.nl
host217-42-37-97.range217-42.btcentralplus.com
host217-42-17-177.range217-42.btcentralplus.com
host217-42-42-47.range217-42.btcentralplus.com
host217-42-200-189.range217-42.btcentralplus.com
host217-42-110-154.range217-42.btcentralplus.com

So a block of anything beneath 217.42 would work best. At least this will drop most of the offenders, and I can deal with the rest with an answer with was posted here eariler:

#!/bin/bash
if [ -f block_list.txt ]
then
        for BAD_IP in `cat block_list.txt`
        do
                iptables -D INPUT -s $BAD_IP -j DROP
        done
else
        echo "Can't read block_list.txt"
fi

if [ -f block_list.txt ]
then
        for BAD_IP in `cat block_list.txt`
        do
                iptables -A INPUT -s $BAD_IP -j DROP
        done
else
        echo "Can't read block_list.txt"
fi

Otherwise, I know these accesses are all SEARCH based. I Have my apache locked down to respond only to GET and POST (with limit, LimitExcept etc..), but these still get through. Is there anyway to completely block SEARCH?

Many thanks for your help

Da Prof
0
Comment
Question by:prof666
2 Comments
 
LVL 9

Accepted Solution

by:
Alf666 earned 520 total points
ID: 10783087
You could use the ipt_string matching module, but it might be a little intensive for your kernel.

iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 --dport 80 -m string --string "SEARCH"
0
 
LVL 6

Author Comment

by:prof666
ID: 10783395
Will try that one out...and post results. Have also Modified it to block CONNECT as well.

Thx
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Loops Section Overview
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month13 days, 16 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question