Is IPtables not working??BruteForce on 80
Guys!!
I'm experiencing severe BruteForce attack from the IP 92.48.127.153 on my port 80 for http. I have set the iptables as follows... Code:
iptables -A INPUT -i eth0 -s 92.48.127.153 -j REJECT Code:
service iptables save Code:
0 0 REJECT all -- eth0 * 92.48.127.153 0.0.0.0/0 reject-with icmp-port-unreachable |
use -j DROP instead
|
did so... nothing... still the guy can access... i can see the httpd logs realtime...
|
this is current..
0 0 DROP all -- eth0 * 92.48.127.153 202.53.171.50 but nothing... he still accessing... all i now can do is just unplug the cable... |
please post the output of
ifconfig -eth0 you might have your input/output src/dst mixed up. |
ifconfig -eth0
eth0 Link encap:Ethernet HWaddr 00:50:BF:9C:ED:B7 inet addr:202.53.171.50 Bcast:202.53.171.55 Mask:255.255.255.248 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:564 errors:0 dropped:0 overruns:0 frame:0 TX packets:512 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:3 Base address:0x1c00 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:61 errors:0 dropped:0 overruns:0 frame:0 TX packets:61 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 |
iptables -nL
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 10.0.0.0/8 0.0.0.0/0 DROP all -- 172.16.0.0/12 0.0.0.0/0 DROP all -- 192.168.0.0/16 0.0.0.0/0 DROP all -- 220.177.248.174 0.0.0.0/0 DROP all -- 222.92.117.19 0.0.0.0/0 DROP all -- 92.48.127.153 202.53.171.50 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 25,80,443,21,30 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ============================== iptables -A INPUT -i eth0 -d 202.53.171.50 -s 92.48.127.153 -j DROP was used |
Your default input policy is drop, but you have an accept everything in there:
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 |
you can kill it with fire by finding the line number and deleting the rule
iptables -nL --line-numbers and iptables -D INPUT <rule number> |
further, with a default policy of drop, those drop rules are useless and can be deleted.
might want to check out your drop chain as well. |
did not understand...
iptables -nL Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 10.0.0.0/8 0.0.0.0/0 DROP all -- 172.16.0.0/12 0.0.0.0/0 DROP all -- 192.168.0.0/16 0.0.0.0/0 DROP all -- 220.177.248.174 0.0.0.0/0 DROP all -- 222.92.117.19 0.0.0.0/0 DROP all -- 92.48.127.153 202.53.171.50 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 25,80,443,21,30 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ==================================== Now how to work line-numbers?? I already have made a reboot after the iptables rules. I think the firewall is not working as it was supposed to work... |
iptables -nL
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 10.0.0.0/8 0.0.0.0/0 DROP all -- 172.16.0.0/12 0.0.0.0/0 DROP all -- 192.168.0.0/16 0.0.0.0/0 DROP all -- 220.177.248.174 0.0.0.0/0 DROP all -- 222.92.117.19 0.0.0.0/0 DROP all -- 92.48.127.153 202.53.171.50 Chain FORWARD (policy ACCEPT) target prot opt source destination ============================================ Now what?? Actually i think its not working or may b understanding prob.... Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 25,80,443,21,30 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 |
iptables -nL
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 10.0.0.0/8 0.0.0.0/0 DROP all -- 172.16.0.0/12 0.0.0.0/0 DROP all -- 192.168.0.0/16 0.0.0.0/0 DROP all -- 220.177.248.174 0.0.0.0/0 DROP all -- 222.92.117.19 0.0.0.0/0 DROP all -- 92.48.127.153 202.53.171.50 Chain FORWARD (policy ACCEPT) target prot opt source destination ============================================ Now what?? Actually i think its not working or may b understanding prob.... |
iptables -nL
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,30 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 10.0.0.0/8 0.0.0.0/0 DROP all -- 172.16.0.0/12 0.0.0.0/0 DROP all -- 192.168.0.0/16 0.0.0.0/0 DROP all -- 220.177.248.174 0.0.0.0/0 DROP all -- 222.92.117.19 0.0.0.0/0 DROP all -- 92.48.127.153 202.53.171.50 Chain FORWARD (policy ACCEPT) target prot opt source destination ============================================ Now what?? Actually i think its not working or may b understanding prob.... |
your drop statements are never firing because of the last "ACCEPT all -- 0.0.0.0/0 0.0.0.0/0". That allows everything regardless of protocol, address or state. you basically dont have a firewall at this point. Delete that line and you're good to go.
If you post your rules using "--line-numbers" I'll tell you exactly which one to get rid of... |
All times are GMT -5. The time now is 02:14 AM. |