Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

iptables to block high level domain access for webdav worm hosts.

Posted on 2004-04-08
2
962 Views
Last Modified: 2012-08-14
Guys,

I'm new to iptables, so need your help.
Like many over the last few weeks, my apache access log file has grown considerably due to an IIS webdav worm. I know that this is harmless as I run on SuSE9.0. However it is proving an annoyance to any monitoring of my logfiles. So I have stripped out the addresses from the access.log file (I have my logs revolved monthly by cronolog) with:

OUTPUT=/usr/local/bin/block_list.txt
INPUT=/var/log/httpd/200?/*/access.log

cat $INPUT |sed -e '/x90/!d' |awk -F " - - " '{print $1}' > $OUTPUT

As most of the worm hit come from my ISP domain I want to block all of the range. So the results I'm typically seeing are:

host217-42-254-237.range217-42.btcentralplus.com
218.95.191.148
218.85.183.10
host217-42-205-223.range217-42.btcentralplus.com
host217-42-111-83.range217-42.btcentralplus.com
cp259378-a.landg1.lb.home.nl
host217-42-37-97.range217-42.btcentralplus.com
host217-42-17-177.range217-42.btcentralplus.com
host217-42-42-47.range217-42.btcentralplus.com
host217-42-200-189.range217-42.btcentralplus.com
host217-42-110-154.range217-42.btcentralplus.com

So a block of anything beneath 217.42 would work best. At least this will drop most of the offenders, and I can deal with the rest with an answer with was posted here eariler:

#!/bin/bash
if [ -f block_list.txt ]
then
        for BAD_IP in `cat block_list.txt`
        do
                iptables -D INPUT -s $BAD_IP -j DROP
        done
else
        echo "Can't read block_list.txt"
fi

if [ -f block_list.txt ]
then
        for BAD_IP in `cat block_list.txt`
        do
                iptables -A INPUT -s $BAD_IP -j DROP
        done
else
        echo "Can't read block_list.txt"
fi

Otherwise, I know these accesses are all SEARCH based. I Have my apache locked down to respond only to GET and POST (with limit, LimitExcept etc..), but these still get through. Is there anyway to completely block SEARCH?

Many thanks for your help

Da Prof
0
Comment
Question by:prof666
2 Comments
 
LVL 9

Accepted Solution

by:
Alf666 earned 130 total points
ID: 10783087
You could use the ipt_string matching module, but it might be a little intensive for your kernel.

iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 --dport 80 -m string --string "SEARCH"
0
 
LVL 6

Author Comment

by:prof666
ID: 10783395
Will try that one out...and post results. Have also Modified it to block CONNECT as well.

Thx
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question