LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-13-2001, 02:41 AM   #1
steppin_razor
LQ Newbie
 
Registered: Nov 2001
Posts: 29

Rep: Reputation: 15
Question Can iptables be configured to reject web requests based on content?


I am running IIS behind an IPtables firewall. I will eventually take a closer look at replacing this with Apache/ASP, but in the meantime, the IIS server is going to be there.

I keep my IIS patched up, but I'd love to be able to configure the firewall to reject HTTP requests that are suspicious (i.e. with things that look like buffer overloads, ..\..\s, cmd.exe, and other suspcious elements).

Any suggestions?

It would be cool if I could do this just within iptables, but I have no idea if this is even possible.

If it isn't, one thought I had was to set up Apache on the firewall and then have it be a reverse-proxy to the IIS box and have a mod_perl application look at and make decisions about the HTTP request before passing it along. Perhaps I could even then have the PERL script execute some iptables command to block traffic from the host until the next bounce or something like that.

What do you guys think?
 
Old 11-13-2001, 02:54 AM   #2
lsof
Member
 
Registered: Oct 2001
Distribution: red hat 7
Posts: 58

Rep: Reputation: 15
u may want 2 look at this:

http://www.eeye.com/html/Products/SecureIIS/index.html

sorry i can't recommend ne thing with iptables. i am still learning the new concepts.
 
Old 11-13-2001, 11:17 AM   #3
steppin_razor
LQ Newbie
 
Registered: Nov 2001
Posts: 29

Original Poster
Rep: Reputation: 15
Interesting..

Not exactly the "opensource" alternative I was hoping for, but potentially a viable commercial possibility. Thanks a lot. Have you had any experience with this product BTW?
 
Old 11-13-2001, 11:37 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Im sure netfilter/iptables can do content filtering, Im just not up to that yet (I know, I know, Im stalling :-] ).

When Im thinking of simple content filtering my first suggestion would be to look into Snort, it's actively maintained, the rulesets are updated frequently (writing your own is easy), and even tho it can't do active blocking itself, there are a host of free Snort contrib apps that can take care of that.
 
Old 11-13-2001, 07:17 PM   #5
lsof
Member
 
Registered: Oct 2001
Distribution: red hat 7
Posts: 58

Rep: Reputation: 15
Re: Interesting..

Quote:
Originally posted by steppin_razor
Not exactly the "opensource" alternative I was hoping for, but potentially a viable commercial possibility. Thanks a lot. Have you had any experience with this product BTW?
i was also going to mention snort (as i am not aware of how2 accomplish this with iptables). however secureiis came 2 mind as a quick, effective solution (albeit commercial) for what u wanted 2 achieve.

as 4 experience with this product?
yes, it's good. i evaluated it when code red was in full effect. it works well with other sorts of attacks and does what it says it will do with a minimum of fuss.

fortunately in my circumstance, i did not have any restrictions with migrating iis 2 apache which is what we were going 2 do ne way.
 
Old 11-14-2001, 03:40 PM   #6
steppin_razor
LQ Newbie
 
Registered: Nov 2001
Posts: 29

Original Poster
Rep: Reputation: 15
Snort...

I installed Snort and sure enough started receiving warnings of attempted breakins due to code red. I opened up one of the URLs in Mozilla and then received a warning that the site was trying to send me the virus payload via the .eml file.

Nice product!

I'd like to set up my Snort so that it fires off rules to iptables to block "naughty" IPs...

Any suggestions or should I just build a PERL script that monitors the /var/log/snort/alert file?
 
Old 11-14-2001, 03:50 PM   #7
lsof
Member
 
Registered: Oct 2001
Distribution: red hat 7
Posts: 58

Rep: Reputation: 15
Re: Snort...

Quote:
Originally posted by steppin_razor
I'd like to set up my Snort so that it fires off rules to iptables to block "naughty" IPs...

Any suggestions or should I just build a PERL script that monitors the /var/log/snort/alert file?
there is a contrib tool 2 snort called guardian. there is also a caution about using this tool in conjunction in the snort faq.

another very useful tool 2 look at when auto blocking is portsentry. on a tangent, but have a look @ it ne way.

http://www.psionic.com/abacus/portsentry

hth

btw: the .eml file is from nimda

Last edited by lsof; 11-14-2001 at 03:53 PM.
 
Old 11-15-2001, 12:08 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
A lite warning is in place, me thinks...

Just don't confuse Snort with Portsentry.

Portsentry's functionality is to bind to ports (in non-stealth mode) and *only* watch for activity, so *no* payload checking there. This can cause many false positives. (Like nmap in decoy mode). Actually, if you use it to add rules to your firewall, and don't filter for needed/bogus address(ranges), duplicates, etc, etc your fw ruleset and portsentry log can be flooded. The only threshold Portsentry allows for is per-IP addy in it's deny table. Besides that, Portsentry isn't maintained actively (anymore).
 
Old 11-15-2001, 04:15 PM   #9
steppin_razor
LQ Newbie
 
Registered: Nov 2001
Posts: 29

Original Poster
Rep: Reputation: 15
Some of what I have found...

I've found some other tools that are supposed to help.

Smack, Block-It, PigMeat are all PERL scripts that I beleive are based upon Guardian that attempt to create iptables rules based upon snort and iptables logs. I'm in the process of trying to play with Smack to see if I can get it to work for me.

I found a GUI tool called razorback that is supposed to show snort alerts as they happen, but haven't gotten it working.

I'm using SnortSnarf to make daily reports.

I haven't figured out a good system for rolling over the Snort logs / archiving the snortsnarg reports..
 
Old 11-16-2001, 08:31 AM   #10
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Answering the original question, can you filter incoming web connections for content.

Iptables is one of the first stateful firewalls for the Linux 2.4
So it's very good for remembering incoming connection from a flag state point of view.

It does do content filtering, but from my knowledge only from the DNAT proxy side of things, this mean you can filter out where connections go and content filter dubious requests.

I don't think it will do what your looking for on inbound web connections.

The guys have made some other good suggestion on what works hand in hand with the firewall.

/Raz
 
Old 11-29-2001, 12:49 PM   #11
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Rep: Reputation: 30
i'm a little late on a reply but i'm sure lots of people can get some use out of it...
netfilter/iptables does do content filtering based on string though, its still in the experimental stages. the module is called ipt_string and is very powerful and from what i hear is fairly stable. A WARNING though, i attempted to install it myself and completly f'd up my kernel and, since i forgot to make a backup of the kernel tree (though i'm not sure if even that would have helped) i had to completly reinstall slackware to get my iptables working again. MAKE SURE YOU BACK UP YOUR KERNEL SOURCE TREE!

Now that being said, you need to update to at least iptables 1.2.3, though 1.2.4 is out now so you may want that instead. You can get em at the netfilter homepage. You also need at least kernel 2.4.9. Now you should find a good guide on how to use the patch-o-matic but i'll give you my understanding of it.

Untar iptables
make pending-patches KERNEL_DIR=<kernel source dir>
###this will bring you you to a script that looks for patches which
###you don't already have installed and ask if you want to install them
make KERNEL_DIR=<kernel source dir>
make patch-o-matic KERNEL_DIR=<kernel source dir>
###now here is where you can enable STRING MATCH, go through
###the script of experimental patches and i would suggest saying
###no to ALL of them except for the STRING MATCH (ipt_string)
###module
now you need to recompile your kernel and enable Networking Options > Netfilter somethingorother > STRING MATCH
and now finish recompiling your kernel and it SHOULD work.

again, i can't stress this enough, backup your kernel source tree and your kernel
tar -cvpf /usr/src/linux /linuxsourcetree.tgz

here's a link to a guide that seems to be ok for ipt_string,
http://articles.linuxguru.net/view/120
though this is the page i used and f'd up with (but about 20 things went wrong that were my fault so i'm sure the page is good)

I'll be trying again in a couple days, once i get my new box to put up as the new firewall, taht way i have a spare one to mess with. So i'll let you know how it goes
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Remove files based on content stefaandk Linux - General 2 08-13-2005 08:03 AM
any web based configuration for IPtables? ah_man04 Linux - Networking 1 04-16-2005 03:26 PM
Need Help In Building a Web-based Firewall Configuration Tool for Linux(RH9-iptables) eason Linux - General 1 02-21-2004 05:34 PM
Multi ip adress to reject with iptables exalik Linux - General 1 10-01-2003 07:04 PM
Finding files based on content benjaminrtz Linux - General 2 08-04-2002 11:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration