LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-21-2010, 01:10 AM   #1
joemon83
Member
 
Registered: Jan 2009
Posts: 71

Rep: Reputation: 11
Block Outgoing HTTP traffic


Hi,

I am working on a linux server. Is there any tool using which we can block outgoing http traffic based on particular keywords. For example, if we have a webpage that contains the word "creditcard", the outgoing traffic from the webserver to the end user's browser should be blocked.

Please advice...
 
Old 05-21-2010, 01:43 AM   #2
paulsm4
LQ Guru
 
Registered: Mar 2004
Distribution: SusE 8.2
Posts: 5,863
Blog Entries: 1

Rep: Reputation: Disabled
I'm not sure exactly what you mean, but it sounds like you might be looking for something like this:

Web Traffic Filters

'Hope that helps .. PSM

PS:
Here's another alternative:
http://www.howtoforge.com/perfect_li...ewall_ipcop_p2

Last edited by paulsm4; 05-21-2010 at 01:45 AM.
 
Old 05-21-2010, 02:17 AM   #3
fruttenboel
Member
 
Registered: Jul 2008
Location: Tilburg NL
Distribution: Slackware 14.2 ciurrent, kernel 3.18.11
Posts: 270

Rep: Reputation: 48
Quote:
Originally Posted by joemon83 View Post
Hi,

I am working on a linux server. Is there any tool using which we can block outgoing http traffic based on particular keywords. For example, if we have a webpage that contains the word "creditcard", the outgoing traffic from the webserver to the end user's browser should be blocked.

Please advice...
Wow, that's a nice challenge for you: just create that program. Linux comes with lots of compilers to get this job done.

What you are proposing here is censorship. It's against the nature of Linux, where we cherish the freedom for all. Perhaps ypu can ask how Google do these things for the totalitarian regimes they prefer to support.
If you don't want people to retrieve that kind of information from your servers, just make sure that that kind of information was not available in the first place.
 
Old 05-21-2010, 02:43 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by fruttenboel View Post
Wow, that's a nice challenge for you: just create that program. Linux comes with lots of compilers to get this job done.

What you are proposing here is censorship. It's against the nature of Linux, where we cherish the freedom for all. Perhaps ypu can ask how Google do these things for the totalitarian regimes they prefer to support.
If you don't want people to retrieve that kind of information from your servers, just make sure that that kind of information was not available in the first place.
Taking measures against disclosure of sensitive information could hardly be described as censorship IMHO. While it's clear that nothing beats making sure the information isn't there to begin with, security works well when done in layers. As a side note, application layer solutions such as ModSecurity include these sort of features:
Quote:
ModSecurity can also monitor outbound data and identify and block information disclosure issues such as leaking detailed error messages or Social Security Numbers or Credit Card Numers.

Last edited by win32sux; 05-21-2010 at 02:47 AM.
 
Old 05-21-2010, 02:47 AM   #5
joemon83
Member
 
Registered: Jan 2009
Posts: 71

Original Poster
Rep: Reputation: 11
ok...I guess I need to explain this.
Suppose a person has managed to upload a phishing page (For. e.g. a Bank) that asks users for credit card details. The phishing page has a textbox named "creditcard" (where users enter credit card details), then the server's attempt to send the page to the end user's browser should be blocked.
I hope this explains my requirement. I already have snort installed in the server. Is this of any use in my case ?
 
Old 05-21-2010, 02:49 AM   #6
joemon83
Member
 
Registered: Jan 2009
Posts: 71

Original Poster
Rep: Reputation: 11
Hi win32sux,

I didn't know that mod security can be used to block outbound traffic. How can I use this in my case. May I know the rule that should be used.
 
Old 05-21-2010, 10:59 AM   #7
mlnutt
Member
 
Registered: May 2006
Posts: 34

Rep: Reputation: 15
Quote:
Originally Posted by fruttenboel View Post
What you are proposing here is censorship. It's against the nature of Linux, where we cherish the freedom for all.
Who is this "we?" Certainly not me and certainly not you. I bet your servers aren't open to the public. Why else would you be interested in a security forum? You employ censorship to keep people out. If you cherished the "freedom for all" your servers would have no security; everybody would have root access.

If more admins would monitor and restrict outgoing traffic there could be a lot less spam and illegal/fraudulent activity on the internet.

"The nature of Linux" is whatever someone can get it to do (or not do).
 
0 members found this post helpful.
Old 05-21-2010, 11:19 AM   #8
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 26,553

Rep: Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946Reputation: 7946
Quote:
Originally Posted by joemon83 View Post
ok...I guess I need to explain this.
Suppose a person has managed to upload a phishing page (For. e.g. a Bank) that asks users for credit card details. The phishing page has a textbox named "creditcard" (where users enter credit card details), then the server's attempt to send the page to the end user's browser should be blocked.
I hope this explains my requirement. I already have snort installed in the server. Is this of any use in my case ?
Snort can alert based on rules, so perhaps it can be used. However, the example is rather weak, and I hope you're not really basing security on it.

Because in what you stated, all someone would have to do, is rename that field to something else, like "Middlename" or "phone". What you call the variable is meaningless, if you have the source code. And if you're talking about what's on the form...replace the WORDS "Credit Card #", with a small image-file, SAYING those words. Same thing appears onscreen...but skates right past your filter.

To me, though, a filter like this is pointless, and will only really slow down your overall web performance. If you put good security practices in place on your server, harden it up, and make sure your server is only sending pages that YOU wrote, your problem is solved. Eliminate the holes, and the threat is eliminated too. But no matter what you do, that's not going to stop someone internally at your organization from stealing the info if they want it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Linux HTTP Port 80 Outgoing Traffic Shaping LXer Syndicated Linux News 0 04-14-2010 02:50 PM
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 12:09 AM
how to find http traffic and mail traffic alone? basbosco Linux - General 1 06-07-2005 10:29 PM
Block outgoing traffic through router? Micro420 Linux - Networking 3 03-15-2005 07:01 AM
Can't ping/ssh my box, Shorewall seems to block all traffic except http / ftp tiduck Linux - Networking 10 05-22-2003 09:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:51 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration