[Firewall] Possible to Block POST Attacks by User Agent String?
lists at lonnie.abelbeck.com
Fri Sep 13 20:18:51 CEST 2013
Hi Alex and Gene,
First, Thanks to Alex for the useful suggestion. Alex, may I ask why you are using the 'raw' PREROUTING table to drop the packets ? Would some say only NOTRACK is a proper target in that table ? I'd be interested in your comments.
Gene, when creating a custom-rule for AIF, pending Alex's response, I'd suggest using the 'filter' INPUT / FORWARD chain for your rule, for example something like:
-- /etc/arno-iptables-firewall/custom-rules --
match_string='Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)'
echo "[CUSTOM RULE] Drop incoming packet matches of string: $match_string"
iptables -A INPUT -m string --algo bm --string "$match_string" -j DROP
iptables -A FORWARD -m string --algo bm --string "$match_string" -j DROP
Note: If the web server is on the AIF box, only use INPUT, else only use FORWARD for efficiency.
Note: 'Adding with -A is fine since the chains are flushed when the custom-rules script is called.
You might also look into adding a "--to offset" value to limit the depth of the search in the packet to make the string matching more efficient.
On Sep 13, 2013, at 12:06 PM, Gene Cooper wrote:
> Thanks again for the tips.
> After determining that xtables-addons is not available for CentOS 5, I dug into it a bit and I didn't see why your suggested commands would not work.
> So I just tried the first one (User Agent string) verbatim from the command line and it seems to work perfectly.
> Now I have to add it to Arno's FW (though I have never tried adding custom commands to AFW before).
> On 09/13/2013 09:30 AM, Gene Cooper wrote:
>> OK, thanks very much for the tip.
>> Yesterday, I used the .htaccess file on the web server to block the POST
>> attacks, which worked, more or less.
>> The attack does continue unabated, even though the web server is handing
>> out 403 errors. My Apache logs are still being trashed but CPU
>> utilization is back down to normal.
>> I'll look into the xtables addon too. I'm not aware of what it is.
>> On 09/12/2013 11:10 PM, Alex Aune wrote:
>>> On 12.09.2013 19:24, Gene Cooper wrote:
>>>> Hi folks,
>>>> Our web server is under an attack by a botnet with this string showing
>>>> up the the Apache access log (from many IP addresses):
>>>> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
>>>> Can anyone clue me in as to how we might block this attack?
>>>> Thanks in advance,
>>> Hi Gene,
>>> I image you can use something along the lines of:
>>> iptables -t raw -A PREROUTING -m string --algo bm --string "Mozilla/4.0
>>> (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -j DROP
>>> Or, based on what's being posted to:
>>> iptables -t raw -A PREROUTING -m string --algo bm --string "POST
>>> /path/script.cgi HTTP/1.0" -j DROP
>>> Provided that you have xtables-addons
>>> I haven't tested it as I don't have access to any running webservers at
>>> the moment, but I've used something similar for filtering torrents based
>>> on their headers before. That being said, I don't know if this would
>>> help mitigate the attack though.
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> Arno's (Linux IPTABLES Firewall) Homepage:
> Gene Cooper
> Sonora Communications, Inc.
> 936 W. Prince Road
> Tucson, AZ 85705
> (520)407-2000 x101
> (520)888-4060 fax
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> Arno's (Linux IPTABLES Firewall) Homepage:
More information about the Firewall