[Firewall] Possible to Block POST Attacks by User Agent String?
lists at aewne.net
Fri Sep 13 08:10:28 CEST 2013
On 12.09.2013 19:24, Gene Cooper wrote:
> Hi folks,
> Our web server is under an attack by a botnet with this string showing
> up the the Apache access log (from many IP addresses):
> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
> Can anyone clue me in as to how we might block this attack?
> Thanks in advance,
I image you can use something along the lines of:
iptables -t raw -A PREROUTING -m string --algo bm --string "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)" -j DROP
Or, based on what's being posted to:
iptables -t raw -A PREROUTING -m string --algo bm --string "POST
/path/script.cgi HTTP/1.0" -j DROP
Provided that you have xtables-addons
I haven't tested it as I don't have access to any running webservers at
the moment, but I've used something similar for filtering torrents based
on their headers before. That being said, I don't know if this would
help mitigate the attack though.
More information about the Firewall