PDA

View Full Version : Iptables, bastille, ISPConfig setup

papokergod
23rd January 2009, 17:28
I have a Fedora 10 server setup using the perfect setup, and have a few questions. (disabled Linux firewall/SELinux)

I have added a rule " Iptables -I INPUT -s 198.186.193.54 -j DROP " to block an undesirable bot/spider since mod_security "spams" my logs because it blocks it due to no header reply, browser version etc.

However, upon its return usually once a day, Iptables does not seem to "ghost" my server as mod_security still sees and returns the 403 error to the bot.

if it helps

running the command " ps -ef | grep iptables " returns root 8200 7827 0 09:51 pts/0 00:00:00 grep iptables

running the command " iptables -L INPUT " returns Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- ashburn.notadot.com anywhere
DROP tcp -- anywhere loopback/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere


It seems once I have restart the firewall through ISPConfig the command " iptables -L INPUT " returns Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere loopback/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere


notice the line DROP all -- ashburn.notadot.com anywhere is removed loosing my iptables rules allowing notadot back in.

Thanks for the help in advance.
till
23rd January 2009, 23:52
Instead of using iptables command which conflicts with the firewall rules you better use the route command to block the IP:

/sbin/route add -host 198.186.193.54 reject
papokergod
24th January 2009, 00:50
thanks, I will try that instead. This will return a server not found correct? Also I would have to add that line to the rc.local file so it stays after a reboot?
falko
24th January 2009, 14:10
This will return a server not found correct?I don't remember the correct message, but yes, it's something like that.

Also I would have to add that line to the rc.local file so it stays after a reboot?Yes.
papokergod
25th January 2009, 14:32
for some reason mod_security is still seeing this ip and its not getting the server not found.

[Sun Jan 25 00:17:29 2009] [error] [client 198.186.193.54] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "www.xxxxxx.com"] [uri "/"] [unique_id "SXv16X8AAAEAAAlrLuIAAAAG"]
[Sun Jan 25 00:17:29 2009] [error] [client 198.186.193.54] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "48"] [id "960009"] [msg "Request Missing a User Agent Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "www.xxxxxx.com"] [uri "/"] [unique_id "SXv16X8AAAEAAAlrLuIAAAAG"]
falko
26th January 2009, 13:44
What's the output of route -nee?
papokergod
26th January 2009, 15:56
Segmentation fault
till
27th January 2009, 12:08
Is this a physical server or vserver?
papokergod
27th January 2009, 15:09
Fedora 10 server setup using the perfect setup, physical server
falko
27th January 2009, 19:31
Segmentation fault

Do you still see this after a reboot (without the route command in rc.local)?
papokergod
27th January 2009, 20:09
same error with route command in rc.local

rc.local file:

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
/sbin/route add -host 198.186.193.54 reject
falko
28th January 2009, 19:13
And without the route command in rc.local?
papokergod
28th January 2009, 19:34
sorry missunderstood, after removing the line from rc.local, rebooting and running the command: route -nee

still have the Segmentation fault

after running the command from putty i ran it directly from the server here is more info:



route[2619]:segfault at b07f6678 ip 007d6dd7 sp bfae5808 error 6 in ld-2.9.so[7d4000+20000]
falko
29th January 2009, 20:00
That's strange. Seems as if something's wrong with the installation. IF this is an empty system, I'd set it up from scratch again.
papokergod
30th January 2009, 18:08
That's strange. Seems as if something's wrong with the installation. IF this is an empty system, I'd set it up from scratch again.

not really an option, i have reinstalled iproute, glibc, did a yum update and still same error.

Could this be a compatibility issue with the eth0 driver?
falko
31st January 2009, 14:47
Segmentation faults can be caused by hardware errors, so that's possible. You can try to replace the NIC with another one.
papokergod
31st January 2009, 16:50
Just so I understand this (which I think I do), Segmentation faults are the windows equivalent to the BSOD right?
falko
1st February 2009, 14:31
Not really - the rest of the system is still working.