block ip addresses that request a specific url - block

I'm receiving too many requests on my server from different ip addresses. I discovered, watching apache access.log, that all these ip addresses are requesting a specific file (teXeFe.php). I'd like to block the access to all these ip addresses. How can I do it?

How about using the iptables string match ?
Something like,
iptables -I INPUT 1 -m string --algo bm --string "teXeFe.php" -j DROP
I inserted the rule at position one just for testing since I had other rules that matched before this one if it was insterted furhter down the chain. Anyway, you get the concept. You could also be a little more specific in the rule (including the GET /full/url/path etc).
Here is page describing the string-matching filter,
- http://spamcleaner.org/en/misc/w00tw00t.html
And here's another stackoverflow-question about it,
- iptable rule to drop packet with a specific substring in payload
Hope that helps!

The provided solution did not work for me. Here is what did:
iptables -A INPUT -p tcp -m string --string "/path/to/file.php" --algo kmp -j REJECT

Related

How to block FIN-WAIT-2 by iptables?

My site now is under ddos-attack,
"ss -ant" shows a lot of FIN-WAIT-2 (and some FIN-WAIT-1) connections from one ip (and random ports), about 500-700 connections:
FIN-WAIT-2 0 0 ::ffff:MY_IP:443 ::ffff:ATTACKERS_IP:RANDOM_PORT
.... 500-700 times
Im trying to use
iptables -A INPUT -s ATTACKERS_IP -j DROP
and
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST RST -m limit --limit 1/s -j ACCEPT
and
echo "2" > /proc/sys/net/ipv4/tcp_fin_timeout
but it doesnt help - new connections are coming in with another random ports.
So, how to TOTALLY block specific IP by iptables (or maybe something else) to prevent FIN-WAIT-2 flood by ip which freezes the server?
It depends, there's a ton of ways to approach the problem. You could block the whole country if it's a foreign-language country (provided your website is not of international market or interest).
or
You could block an entire ip block
or
You could use cloudflare to pre-mitigate the problem
or
You could ....

How to use iptable to filter urls containing string?

to block all requests to xxx.com :
sudo iptables -A OUTPUT -p tcp -m string --string "xxx.com" --algo kmp -j DROP
What will block requests to any url containing xxx like ?
google.com?q=xxx&...
without blocking google.com.
You may want to use kpcre, iptables PCRE extension.
For example, to filter the example you have pointed:
iptables -I INPUT -p tcp -m string --string "/\/.+xxx.+/i" --algo pcre -j DROP
The string "//.+xxx.+/i" denotes case insensitive strings which start with "/" and contain "xxx".
Your suggested approach could potentially block dns requests, but if somebody uses the IP address directly that would be bypassed.
As suggested above you can use an http proxy.
Alternatively, I implemented a restriction of the type you mention without a proxy using dnsmasq and ipset. I list here the high level steps of how to do it:
create an empty ipset called myprohibitedsites
run your own instance of dnsmasq (you do not need the dhcp part of dnsmasq for this, just the dns cache)
configure all your machine to use your dnsmasq (or redirect udp port 53 to your dnsmasq via iptables)
configure your dnsmasq to log to the ipset myprohibitedsites all dns
requests of the type xxx.com (see dnsmasq user guide)
configure iptables filter to drop all packets which have as destination the
IPs contained in myprohibitedsites

What iptables rules should I use in order for my Discourse app to be able to use Mandrill?

I am currently trying to secure a little my server before its release to the world. For now, there is just a Discourse instance running, that uses Mandrill as email smtp server.
There is an nginx server in front of that Discourse.
With no iptables rules, everything works fine. When I apply my rules, it brokes. I am still able to reach the Discourse and even send posts and everything, expect sending email.
With ./launcher mailtest app, it works. The Discourse error, however, is the following : ERREUR - getaddrinfo: Name or service not known.
I really try to find out myself what I should use. But I couldn't.
First, I was thinking a simple iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT was enough, but I was proved the contrary.
Some other inputs :
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
I set Discourse to use port 587 of Mandrill.
Okay, so I just released... This is not the right SE forum for that question. I'm sorry for that.
However, since I finally found a solution (it's always when you post your question that the question hits you in the face), let me share it.
I was missing a FORWARD rule between docker0 and eth0.
iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT
Sorry for the inconvenient.

how to add new iptables rule based on current rule

I haven't really played around at all with iptables so I am quite clueless here. This MySQL server I'm currently working on rejects all connections except for whitelisted sources. I need to add a new IP but not sure how to duplicate the current rule
iptable -L lists this rule that i need to duplicate:
ACCEPT tcp -- 10.65.0.1 anywhere tcp dpt:mysql
How would I go about adding a new rule in for a different IP address?
edit: I guess I should add that I've been looking at different examples and instructions but before I try anything I just wanted to post the question here to see if anybody can provide the exact command to add the rule.
just for the record here's the answer:
iptables -A INPUT -p tcp -s $IP_ADDRESS -m tcp --dport 3306 -j ACCEPT

How to mark packets sending to server using iptables extensions?

I'd like to make SSH-identification a little stronger using iptables extensions (or IPSec tools?) for marking (while sending) and matching (while recieving) the packets between my laptop and my server.
I need no VPN, just to send additional information in IP Options header (or in the AH field?).. while talking to server.
It would be nice if it could be possible by using iptables plugins for Debian only (to first alter the headers and then compare the key inside on my remote host).
I googled for a day and found such topics as Inspect protocols AH and ESP for content; Using iptables string-matching filter; Payload mangling etc - but for a now I could not understand the most important thing: which packet to install for Debian on both computers:)
My dream is to block connections using iptables on port 22 (which have no signature inside) before the SSH handshake starts. Can you help me, please?
I did my homework again, and gurus online told me to use the ToS field, "which remains the same while being transmitted over global networks".
An example how to set it:
iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10
And it's a very small field (256 bits), filled up with the service information, so there is no much room to play with and you must be very careful. But still!..
Later then the ToS value can be read on the receiving machine using something like
iptables -A INPUT -p tcp -m tos --tos 0x16