Understanding iptables

Buckyjunior · 03-05-2004, 10:44 PM

My Linux box (Fedora Core 1), is set up as a web server for testing/learning purposes. I seem to be getting a lot of hits that I would rather DROP. E.g.,

1.2.3.4 - - [24/Feb/2004:14:42:21 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 338 "-" "-"
1.2.3.4 - - [24/Feb/2004:14:42:21 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 336 "-" "-"
1.2.3.4 - - [24/Feb/2004:14:42:22 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 346 "-" "-"
1.2.3.4 - - [24/Feb/2004:14:42:29 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 360 "-"

These are from many--not easily traceable--locations. Obviously, these are not finding what they're looking for on my Linux box and the rest of my machines are Macs. (I suppose that my ISP would be curious about them, but I've heard that they discourage high bandwidth activities like web serving, so I'm a bit reluctant.)

I have read quite a few HOW-TOs and FAQs as well as the first part of the man page about iptables and have been adding the offending IP addresses to the INPUT chain in order to DROP them, e.g.,

Code:

iptables -t filter -A INPUT -s 1.2.3.4 -j DROP

This seems to reduce the hits, except there are more and more of them.

In order to keep track of them all, I've written a bash script that removes the ones there and then adds (again) the full sorted list. To remove them, I use the line

Code:

iptables -t filter -D INPUT -s 1.2.3.4 -j DROP

using the same line substituting -D for delete as suggested.

Now, when I run it, iptables returns an error "Invalid target name. DROP".

So what did I do wrong that DROP is no longer an option? Am I on the right track here? I'm thankful for any pointers. I would prefer to know what I'm doing rather than just dump someone's expert script into my box. I suppose I could just reject everything except my LAN, but sometimes I would like to show someone something from here.
Bucky

linuxxed · 03-06-2004, 06:39 AM

looks like the NIMDA virus attacks to me. We used to get a lot of those on our netscape servers but don't worry APache and Netscape are completely immune to these GETS. Search for NIMDA on google.

Run IIS and you'll regret!

Hangdog42 · 03-06-2004, 07:43 AM

Well, to start off, I don't think your rule is correct. In your original rule, you have -t filter which I believe is part of the documentation, not a real part of the rule. So you should be replacing the -t with one of the normal iptables flags (-A,-D,-I) and filter with the correct table (INPUT,OUTPUT).

Try correcting that and see if it works because it looks as if the rest of the rules are OK.

codedv · 03-07-2004, 06:18 AM

I've blocked them at application level. True - these attacks are harmless to linux boxes but they sure do make the log files look messy. This is the rule I've got in my httpd.conf file to filter out the requests:

Code:

# set an environment variable if an attempted attack
SetEnvIf Request_URI "^\/((scripts|[Mm][Ss][Aa][Dd][Cc]|_mem_bin|_vti_bin|([Cc]|[Dd])\/winnt|).*\/(nsiislog\.dll|cmd\.exe|root\.exe))|default\.ida$" attack-attempt

# Default Directory Rule
<Directory />
    Options None
    Allowoverride None

    # send 403 to attack attempts
    Deny from env=attack-attempt
</Directory>

# custom log - log everything except attack attempts
CustomLog logs/access_log common env=!attack-attempt

# keep attack attempts in a separate log file
CustomLog logs/attack-attempt_log "%t %a %r %>s" env=attack-attempt

In my opinion blocking the IP addresses is not a good idea. Often these requests are from viruses on PC's which the owner knows nothing about. The IP address you are blocking may also be from a dial up ISP which means the client request would be from a different IP address every time they connect.