| View previous topic :: View next topic |
| Author |
Message |
FishB8
l33t
Joined: 17 Mar 2003
Posts: 820
|
 Posted: Tue Sep 01, 2009 7:54 pm Post subject: iptables - filter connections not using a DNS lookup |
 |
|
Is there any way to create a match within iptables, to detect when a connection is being made with or without the help of a DNS server?
I want to cut down the number of script kiddies connecting to my server. Most of them are just bots that scan through IP addresses and never actually use a dns lookup to obtain the IP address. I want to be able to filter new connections that are just connecting directly via IP address instead of using a URL.
I know that it's possible since when apache returns the SERVER_NAME used, it can be either a URL or IP address depending on which was used to make the connection. I just want to be able to set this up as an iptables rule before it ever reaches apache.
_________________
"...as we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours, and this we should do freely and generously." -Benjamin Franklin |
|
| Back to top |
|
 |
lagalopex
Guru
Joined: 16 Oct 2004
Posts: 566
|
| Posted: Tue Sep 01, 2009 8:14 pm Post subject: |
|
|
Thats not possible, apache knows it because a browser would send it in the http request.
On the iptables level there is nothing like hostnames.
You could of course set up a vhost for your homepage and let the default page (that would be served when accessed via ip) set to a blank page.
But never the less the web server is used... |
|
| Back to top |
|
|
FishB8
l33t
Joined: 17 Mar 2003
Posts: 820
|
| Posted: Tue Sep 01, 2009 9:01 pm Post subject: |
|
|
In that case, maybe I'll have it so that apache adds the connection to black list. I'm using rails, so maybe I'll redirect the default page to a rails method that adds the IP to a temporary iptables blacklist.
_________________
"...as we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours, and this we should do freely and generously." -Benjamin Franklin |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Tue Sep 01, 2009 11:36 pm Post subject: |
|
|
| lagalopex wrote: | Thats not possible, apache knows it because a browser would send it in the http request.
On the iptables level there is nothing like hostnames.
You could of course set up a vhost for your homepage and let the default page (that would be served when accessed via ip) set to a blank page.
But never the less the web server is used... |
I don't know that that's entirely true
AFAIK iptables can see the HTTP request (GET/POST/HEAD/etc), or even the Host header, and parse it using --string
BUT
doing this in iptables is a bad idea from a performance perspective.
I think the best way - as much as i hate mod_security - would be to use mod_security, scrap all of its existing rules, and write your own to reject if the request-URI or Host header contains an IP (simple regex like \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
FishB8
l33t
Joined: 17 Mar 2003
Posts: 820
|
| Posted: Wed Sep 02, 2009 12:07 am Post subject: |
|
|
what I plan on doing is setting up a rewrite rule in apache like
| Code: |
RewriteCond %{SERVER_NAME} 123.123.123.123
RewriteRule ^.* /naughty_bot [PT,L]
|
that will redirect everything using the servers IP address directly to the /naughty_bot/index rail method where I can then have ruby call
| Code: | | ipset -A blacklist 789.789.789.789 |
with a rule in iptables to check that set for blacklisted ip addresses.
I may follow it up by an "at" command to remove it from the list after a couple hours so that the blacklist is not permanent.
My intention is to try to stop crap like that at the firewall before it even reaches the server. This is pretty close to that since supposedly only the first request ever makes it to the server. In reality probably several requests might make it through since the kiddie scripts generally send this crap pretty fast
I'll see how well it works.
_________________
"...as we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours, and this we should do freely and generously." -Benjamin Franklin |
|
| Back to top |
|
|
FishB8
l33t
Joined: 17 Mar 2003
Posts: 820
|
| Posted: Thu Sep 03, 2009 2:28 am Post subject: |
|
|
Finally got around to trying it. Works like a charm!
for anybody else trying to do the same, the rewrite rules are actually:
| Code: |
RewriteCond %{SERVER_NAME} 123.123.123.123
RewriteRule ^.*$ http://www.myserver.com/naughty [R]
|
_________________
"...as we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours, and this we should do freely and generously." -Benjamin Franklin |
|
| Back to top |
|
|
FishB8
l33t
Joined: 17 Mar 2003
Posts: 820
|
| Posted: Sat Sep 26, 2009 10:55 pm Post subject: |
|
|
I felt I should add an update in case anybody else runs tries to do this them selves.
Several issues:
- Using redirection in the rewrite rule doesn't really work well because the little bots generally don't pay attention to redirection responses. Use the rewrite's proxy method instead.
- SERVER_NAME is often blank. Need to check HTTP_HOST as well.
- Instead of checking for the IP, check that it's NOT your DNS name
Here's what I ended up with that snags a lot more bots:
| Code: |
ProxyRequests Off
RewriteEngine On
RewriteCond %{SERVER_NAME} !my.server.com
RewriteCond %{SERVER_NAME} !192.168.0.1 #Server's LAN IP
RewriteCond %{SERVER_NAME} !127.0.0.1
RewriteRule ^.*$ http://127.0.0.1/naughty?ip=%{REMOTE_ADDR} [P]
RewriteCond %{HTTP_HOST} !my.server.com
RewriteCond %{HTTP_HOST} !192.168.0.1 #Server's LAN IP
RewriteCond %{HTTP_HOST} !127.0.0.1
RewriteRule ^.*$ http://127.0.0.1/naughty?ip=%{REMOTE_ADDR} [P]
|
_________________
"...as we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours, and this we should do freely and generously." -Benjamin Franklin |
|
| Back to top |
|
|
|
Networking & Security
