Is IPtables not working??BruteForce on 80

aq_mishu · 02-21-2009, 03:08 AM

Guys!!
I'm experiencing severe BruteForce attack from the IP 92.48.127.153 on my port 80 for http.

I have set the iptables as follows...

Code:

iptables -A INPUT -i eth0 -s 92.48.127.153 -j REJECT

And finally did the

Code:

service iptables save
service iptables restart

And then the iptables nvl shows it...

Code:

    0     0 REJECT     all  --  eth0   *       92.48.127.153        0.0.0.0/0          reject-with icmp-port-unreachable

Now please help me... i want to get rid of this guy....

JulianTosh · 02-21-2009, 03:16 AM

use -j DROP instead

aq_mishu · 02-21-2009, 03:24 AM

did so... nothing... still the guy can access... i can see the httpd logs realtime...

aq_mishu · 02-21-2009, 03:33 AM

this is current..

0 0 DROP all -- eth0 * 92.48.127.153 202.53.171.50

but nothing... he still accessing... all i now can do is just unplug the cable...

JulianTosh · 02-21-2009, 03:39 AM

please post the output of

ifconfig -eth0

you might have your input/output src/dst mixed up.

aq_mishu · 02-21-2009, 03:42 AM

ifconfig -eth0
eth0 Link encap:Ethernet HWaddr 00:50:BF:9C:ED:B7
inet addr:202.53.171.50 Bcast:202.53.171.55 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:564 errors:0 dropped:0 overruns:0 frame:0
TX packets:512 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:3 Base address:0x1c00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:61 errors:0 dropped:0 overruns:0 frame:0
TX packets:61 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

aq_mishu · 02-21-2009, 03:42 AM

iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 220.177.248.174 0.0.0.0/0
DROP all -- 222.92.117.19 0.0.0.0/0
DROP all -- 92.48.127.153 202.53.171.50

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 25,80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

==============================

iptables -A INPUT -i eth0 -d 202.53.171.50 -s 92.48.127.153 -j DROP

was used

JulianTosh · 02-21-2009, 03:50 AM

Your default input policy is drop, but you have an accept everything in there:
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

JulianTosh · 02-21-2009, 03:52 AM

you can kill it with fire by finding the line number and deleting the rule

iptables -nL --line-numbers

and

iptables -D INPUT <rule number>

JulianTosh · 02-21-2009, 03:57 AM

further, with a default policy of drop, those drop rules are useless and can be deleted.

might want to check out your drop chain as well.

aq_mishu · 02-21-2009, 04:00 AM

did not understand...
iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 220.177.248.174 0.0.0.0/0
DROP all -- 222.92.117.19 0.0.0.0/0
DROP all -- 92.48.127.153 202.53.171.50

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 25,80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
====================================
Now how to work line-numbers?? I already have made a reboot after the iptables rules. I think the firewall is not working as it was supposed to work...

aq_mishu · 02-21-2009, 04:02 AM

iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 220.177.248.174 0.0.0.0/0
DROP all -- 222.92.117.19 0.0.0.0/0
DROP all -- 92.48.127.153 202.53.171.50

Chain FORWARD (policy ACCEPT)
target prot opt source destination
============================================
Now what?? Actually i think its not working or may b understanding prob....
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 25,80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

aq_mishu · 02-21-2009, 04:03 AM

iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 220.177.248.174 0.0.0.0/0
DROP all -- 222.92.117.19 0.0.0.0/0
DROP all -- 92.48.127.153 202.53.171.50

Chain FORWARD (policy ACCEPT)
target prot opt source destination
============================================
Now what?? Actually i think its not working or may b understanding prob....

aq_mishu · 02-21-2009, 04:09 AM

iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 220.177.248.174 0.0.0.0/0
DROP all -- 222.92.117.19 0.0.0.0/0
DROP all -- 92.48.127.153 202.53.171.50

Chain FORWARD (policy ACCEPT)
target prot opt source destination
============================================
Now what?? Actually i think its not working or may b understanding prob....

JulianTosh · 02-21-2009, 04:10 AM

your drop statements are never firing because of the last "ACCEPT all -- 0.0.0.0/0 0.0.0.0/0". That allows everything regardless of protocol, address or state. you basically dont have a firewall at this point. Delete that line and you're good to go.

If you post your rules using "--line-numbers" I'll tell you exactly which one to get rid of...