Jump to content
The Uniform Server Community

RQ: IP Tables via CYGWIN or similar!


stream
 Share

Recommended Posts

Dear community,

can you thing if it's good idea to implement an Advanced Firewall like *nix IPTABLES.

What I mean is using cygwin or another thing to use an IPTABLES, because IPTABLES really rules.

Yesterday when I take a look at LOGS in Apache I see w00tw00t trying to access the server so I shutdwon the server, put the IP that want to hack me in .htaccess deny, but at this moment I start to thing about the option to integrate something as IPTABLES.

 

I'll really appreciate if it's possible, because using of functions as:

Blocking string:

 

iptables -I INPUT -d XXX.XXX.XXX.XXX -p tcp --dport 80 -m string --to 70 \ --algo bm --string 'GET /w00tw00t.' -j DROP

where XXX.XXX.XXX.XXX represent YOUR IP!!!

 

Using attack patterns in config will do the same, but I'm not a programmer. Something like:

 

block ip-host
		  block [
			  "php"
			  "w00tw00t"
			  ip-host
		  ]

 

Thanks to http://cheyenne-server.googlecode.com for ideas and ipTables for the same.

 

Good tutorial with example of this can be found here;

http://spamcleaner.org/en/misc/w00tw00t.html

or another good example can be found here:

http://www.fail2ban.org/wiki/index.php/Main_Page

 

I would like to thanks to the developers of this great piece of software that they provide to us!

Link to comment
Share on other sites

Thanks for the heads-up on this attack format. Just love those 'bots. Seems to point out how difficult it is to REALLY secure your server.

 

So far as putting in IPTABLES, my first take (after doing some homework), is that this is NOT the level where The Uniform Server sits. IPTABLES is at the network-firewall level, and interacts with packets before the get picked up by to Apache.

 

The Uniform Server would need to put something into Apache, IMHO, in order to stay within its logical boundary. It also depends more on the philosophical and practical cut-off point for where the developers of The Uniform Server want to stop and "leave the rest as an exercise for the user."

 

I would suggest that this be developed into pages on the Wiki, with some detailed analysis of what's needed to counteract attacks.

 

Regards,

BobS

Link to comment
Share on other sites

Thank you for your reply!

It's true, but I think that adding some patterns in Apache (NOT IPTABLES) will good idea, as descibed in Cheyenne project.

This bots make me crazy, yes it's true it's NOT a production server, but I really want to have security at level up :(

 

As described here:

New config keyword in global section: block. It will drop client connection if some given attack patterns are found in the request (usually on request line).

Examples:

block "w00tw00t"

block [

"php"

"w00tw00t"

"/admin"

]

 

When one of the patterns is detected, the connection is closed at once, no response is sent back to client. Additionnaly, you can add the 'ip-host keyword in block argument list to block all requests using an IP address in Host header instead of a valid domain. This is, almost every time, the signature of a web scanner.

 

Examples:

block ip-host

block [

"php"

"w00tw00t"

ip-host

]

 

Sorry for my English, but .... your right that this is good to put in WiKi for discussion!

Thanks again.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...