July 19, 201114 yr comment_9402 Dear community,can you thing if it's good idea to implement an Advanced Firewall like *nix IPTABLES.What I mean is using cygwin or another thing to use an IPTABLES, because IPTABLES really rules.Yesterday when I take a look at LOGS in Apache I see w00tw00t trying to access the server so I shutdwon the server, put the IP that want to hack me in .htaccess deny, but at this moment I start to thing about the option to integrate something as IPTABLES. I'll really appreciate if it's possible, because using of functions as:Blocking string: iptables -I INPUT -d XXX.XXX.XXX.XXX -p tcp --dport 80 -m string --to 70 \ --algo bm --string 'GET /w00tw00t.' -j DROPwhere XXX.XXX.XXX.XXX represent YOUR IP!!! Using attack patterns in config will do the same, but I'm not a programmer. Something like: block ip-host block [ "php" "w00tw00t" ip-host ] Thanks to http://cheyenne-server.googlecode.com for ideas and ipTables for the same. Good tutorial with example of this can be found here;http://spamcleaner.org/en/misc/w00tw00t.htmlor another good example can be found here:http://www.fail2ban.org/wiki/index.php/Main_Page I would like to thanks to the developers of this great piece of software that they provide to us! Report
July 19, 201114 yr comment_9406 Thanks for the heads-up on this attack format. Just love those 'bots. Seems to point out how difficult it is to REALLY secure your server. So far as putting in IPTABLES, my first take (after doing some homework), is that this is NOT the level where The Uniform Server sits. IPTABLES is at the network-firewall level, and interacts with packets before the get picked up by to Apache. The Uniform Server would need to put something into Apache, IMHO, in order to stay within its logical boundary. It also depends more on the philosophical and practical cut-off point for where the developers of The Uniform Server want to stop and "leave the rest as an exercise for the user." I would suggest that this be developed into pages on the Wiki, with some detailed analysis of what's needed to counteract attacks. Regards,BobS Report
July 20, 201114 yr Author comment_9407 Thank you for your reply!It's true, but I think that adding some patterns in Apache (NOT IPTABLES) will good idea, as descibed in Cheyenne project.This bots make me crazy, yes it's true it's NOT a production server, but I really want to have security at level up As described here:New config keyword in global section: block. It will drop client connection if some given attack patterns are found in the request (usually on request line).Examples: block "w00tw00t" block [ "php" "w00tw00t" "/admin" ] When one of the patterns is detected, the connection is closed at once, no response is sent back to client. Additionnaly, you can add the 'ip-host keyword in block argument list to block all requests using an IP address in Host header instead of a valid domain. This is, almost every time, the signature of a web scanner. Examples: block ip-host block [ "php" "w00tw00t" ip-host ] Sorry for my English, but .... your right that this is good to put in WiKi for discussion!Thanks again. Report
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.