[Firewall] Possible to Block POST Attacks by User Agent String?

Gene Cooper gcooper at sonoracomm.com
Fri Sep 13 19:06:54 CEST 2013


Alex,

Thanks again for the tips.

After determining that xtables-addons is not available for CentOS 5, I 
dug into it a bit and I didn't see why your suggested commands would not 
work.

So I just tried the first one (User Agent string) verbatim from the 
command line and it seems to work perfectly.

Now I have to add it to Arno's FW (though I have never tried adding 
custom commands to AFW before).

THANKS!

G

On 09/13/2013 09:30 AM, Gene Cooper wrote:
> OK, thanks very much for the tip.
>
> Yesterday, I used the .htaccess file on the web server to block the POST
> attacks, which worked, more or less.
>
> The attack does continue unabated, even though the web server is handing
> out 403 errors.  My Apache logs are still being trashed but CPU
> utilization is back down to normal.
>
> I'll look into the xtables addon too.  I'm not aware of what it is.
>
> Thanks,
>
> G
>
> On 09/12/2013 11:10 PM, Alex Aune wrote:
>> On 12.09.2013 19:24, Gene Cooper wrote:
>>> Hi folks,
>>>
>>> Our web server is under an attack by a botnet with this string showing
>>> up the the Apache access log (from many IP addresses):
>>>
>>> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
>>>
>>> Can anyone clue me in as to how we might block this attack?
>>>
>>> Thanks in advance,
>>>
>>> G
>>
>> Hi Gene,
>>
>> I image you can use something along the lines of:
>> iptables -t raw -A PREROUTING -m string --algo bm --string "Mozilla/4.0
>> (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -j DROP
>> Or, based on what's being posted to:
>> iptables -t raw -A PREROUTING -m string --algo bm --string "POST
>> /path/script.cgi HTTP/1.0" -j DROP
>> Provided that you have xtables-addons
>> (http://xtables-addons.sourceforge.net)
>>
>> I haven't tested it as I don't have access to any running webservers at
>> the moment, but I've used something similar for filtering torrents based
>> on their headers before. That being said, I don't know if this would
>> help mitigate the attack though.
>>
>> Regards,
>> Alex
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>
>
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>

-- 

===========================
Gene Cooper
Sonora Communications, Inc.
936 W. Prince Road
Tucson, AZ 85705

(520)407-2000 x101
(520)888-4060 fax

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130913/eb936e54/attachment-0001.bin>


More information about the Firewall mailing list