I am running IIS behind an IPtables firewall. I will eventually take a closer look at replacing this with Apache/ASP, but in the meantime, the IIS server is going to be there.

I keep my IIS patched up, but I'd love to be able to configure the firewall to reject HTTP requests that are suspicious (i.e. with things that look like buffer overloads, ..\..\s, cmd.exe, and other suspcious elements).

Any suggestions?

It would be cool if I could do this just within iptables, but I have no idea if this is even possible.

If it isn't, one thought I had was to set up Apache on the firewall and then have it be a reverse-proxy to the IIS box and have a mod_perl application look at and make decisions about the HTTP request before passing it along. Perhaps I could even then have the PERL script execute some iptables command to block traffic from the host until the next bounce or something like that.

What do you guys think?

u may want 2 look at this:

http://www.eeye.com/html/Products/SecureIIS/index.html

sorry i can't recommend ne thing with iptables. i am still learning the new concepts.

Not exactly the "opensource" alternative I was hoping for, but potentially a viable commercial possibility. Thanks a lot. Have you had any experience with this product BTW?

Im sure netfilter/iptables can do content filtering, Im just not up to that yet (I know, I know, Im stalling :-] ).

When Im thinking of simple content filtering my first suggestion would be to look into Snort, it's actively maintained, the rulesets are updated frequently (writing your own is easy), and even tho it can't do active blocking itself, there are a host of free Snort contrib apps that can take care of that.

i was also going to mention snort (as i am not aware of how2 accomplish this with iptables). however secureiis came 2 mind as a quick, effective solution (albeit commercial) for what u wanted 2 achieve.

as 4 experience with this product?
yes, it's good. i evaluated it when code red was in full effect. it works well with other sorts of attacks and does what it says it will do with a minimum of fuss.

fortunately in my circumstance, i did not have any restrictions with migrating iis 2 apache which is what we were going 2 do ne way.

I installed Snort and sure enough started receiving warnings of attempted breakins due to code red. I opened up one of the URLs in Mozilla and then received a warning that the site was trying to send me the virus payload via the .eml file.

Nice product!

I'd like to set up my Snort so that it fires off rules to iptables to block "naughty" IPs...

Any suggestions or should I just build a PERL script that monitors the /var/log/snort/alert file?

there is a contrib tool 2 snort called guardian. there is also a caution about using this tool in conjunction in the snort faq.

another very useful tool 2 look at when auto blocking is portsentry. on a tangent, but have a look @ it ne way.

http://www.psionic.com/abacus/portsentry

hth

btw: the .eml file is from nimda

Just don't confuse Snort with Portsentry.

Portsentry's functionality is to bind to ports (in non-stealth mode) and *only* watch for activity, so *no* payload checking there. This can cause many false positives. (Like nmap in decoy mode). Actually, if you use it to add rules to your firewall, and don't filter for needed/bogus address(ranges), duplicates, etc, etc your fw ruleset and portsentry log can be flooded. The only threshold Portsentry allows for is per-IP addy in it's deny table. Besides that, Portsentry isn't maintained actively (anymore).

I've found some other tools that are supposed to help.

Smack, Block-It, PigMeat are all PERL scripts that I beleive are based upon Guardian that attempt to create iptables rules based upon snort and iptables logs. I'm in the process of trying to play with Smack to see if I can get it to work for me.

I found a GUI tool called razorback that is supposed to show snort alerts as they happen, but haven't gotten it working.

I'm using SnortSnarf to make daily reports.

I haven't figured out a good system for rolling over the Snort logs / archiving the snortsnarg reports..

Answering the original question, can you filter incoming web connections for content.

Iptables is one of the first stateful firewalls for the Linux 2.4
So it's very good for remembering incoming connection from a flag state point of view.

It does do content filtering, but from my knowledge only from the DNAT proxy side of things, this mean you can filter out where connections go and content filter dubious requests.

I don't think it will do what your looking for on inbound web connections.

The guys have made some other good suggestion on what works hand in hand with the firewall.

/Raz

i'm a little late on a reply but i'm sure lots of people can get some use out of it...
netfilter/iptables does do content filtering based on string though, its still in the experimental stages. the module is called ipt_string and is very powerful and from what i hear is fairly stable. A WARNING though, i attempted to install it myself and completly f'd up my kernel and, since i forgot to make a backup of the kernel tree (though i'm not sure if even that would have helped) i had to completly reinstall slackware to get my iptables working again. MAKE SURE YOU BACK UP YOUR KERNEL SOURCE TREE!

Now that being said, you need to update to at least iptables 1.2.3, though 1.2.4 is out now so you may want that instead. You can get em at the netfilter homepage. You also need at least kernel 2.4.9. Now you should find a good guide on how to use the patch-o-matic but i'll give you my understanding of it.

Untar iptables
make pending-patches KERNEL_DIR=<kernel source dir>
###this will bring you you to a script that looks for patches which
###you don't already have installed and ask if you want to install them
make KERNEL_DIR=<kernel source dir>
make patch-o-matic KERNEL_DIR=<kernel source dir>
###now here is where you can enable STRING MATCH, go through
###the script of experimental patches and i would suggest saying
###no to ALL of them except for the STRING MATCH (ipt_string)
###module
now you need to recompile your kernel and enable Networking Options > Netfilter somethingorother > STRING MATCH
and now finish recompiling your kernel and it SHOULD work.

again, i can't stress this enough, backup your kernel source tree and your kernel
tar -cvpf /usr/src/linux /linuxsourcetree.tgz

here's a link to a guide that seems to be ok for ipt_string,
http://articles.linuxguru.net/view/120
though this is the page i used and f'd up with (but about 20 things went wrong that were my fault so i'm sure the page is good)

I'll be trying again in a couple days, once i get my new box to put up as the new firewall, taht way i have a spare one to mess with. So i'll let you know how it goes