My Linux box (Fedora Core 1), is set up as a web server for testing/learning purposes. I seem to be getting a lot of hits that I would rather DROP. E.g.,
1.2.3.4 - - [24/Feb/2004:14:42:21 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 338 "-" "-"
1.2.3.4 - - [24/Feb/2004:14:42:21 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 336 "-" "-"
1.2.3.4 - - [24/Feb/2004:14:42:22 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 346 "-" "-"
1.2.3.4 - - [24/Feb/2004:14:42:29 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 360 "-"
These are from many--not easily traceable--locations. Obviously, these are not finding what they're looking for on my Linux box and the rest of my machines are Macs. (I suppose that my ISP would be curious about them, but I've heard that they discourage high bandwidth activities like web serving, so I'm a bit reluctant.)
I have read quite a few HOW-TOs and FAQs as well as the first part of the man page about iptables and have been adding the offending IP addresses to the INPUT chain in order to DROP them, e.g.,
Code:
iptables -t filter -A INPUT -s 1.2.3.4 -j DROP
This seems to reduce the hits, except there are more and more of them.
In order to keep track of them all, I've written a bash script that removes the ones there and then adds (again) the full sorted list. To remove them, I use the line
Code:
iptables -t filter -D INPUT -s 1.2.3.4 -j DROP
using the same line substituting -D for delete as suggested.
Now, when I run it, iptables returns an error "Invalid target name. DROP".
So what did I do wrong that DROP is no longer an option? Am I on the right track here? I'm thankful for any pointers. I would prefer to know what I'm doing rather than just dump someone's expert script into my box. I suppose I could just reject everything except my LAN, but sometimes I would like to show someone something from here.
Bucky