HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   Iptables, bastille, ISPConfig setup (http://www.howtoforge.com/forums/showthread.php?t=30556)

papokergod 23rd January 2009 17:28

Iptables, bastille, ISPConfig setup
 
I have a Fedora 10 server setup using the perfect setup, and have a few questions. (disabled Linux firewall/SELinux)

I have added a rule " Iptables -I INPUT -s 198.186.193.54 -j DROP " to block an undesirable bot/spider since mod_security "spams" my logs because it blocks it due to no header reply, browser version etc.

However, upon its return usually once a day, Iptables does not seem to "ghost" my server as mod_security still sees and returns the 403 error to the bot.

if it helps

running the command " ps -ef | grep iptables " returns root 8200 7827 0 09:51 pts/0 00:00:00 grep iptables

running the command " iptables -L INPUT " returns
Code:

Chain INPUT (policy DROP)
target    prot opt source              destination
DROP      all  --  ashburn.notadot.com  anywhere
DROP      tcp  --  anywhere            loopback/8
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    all  --  anywhere            anywhere
DROP      all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
PUB_IN    all  --  anywhere            anywhere
PUB_IN    all  --  anywhere            anywhere
PUB_IN    all  --  anywhere            anywhere
PUB_IN    all  --  anywhere            anywhere
DROP      all  --  anywhere            anywhere

It seems once I have restart the firewall through ISPConfig the command " iptables -L INPUT " returns
Code:

Chain INPUT (policy DROP)
target    prot opt source              destination
DROP      tcp  --  anywhere            loopback/8
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    all  --  anywhere            anywhere
DROP      all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
PUB_IN    all  --  anywhere            anywhere
PUB_IN    all  --  anywhere            anywhere
PUB_IN    all  --  anywhere            anywhere
PUB_IN    all  --  anywhere            anywhere
DROP      all  --  anywhere            anywhere

notice the line DROP all -- ashburn.notadot.com anywhere is removed loosing my iptables rules allowing notadot back in.

Thanks for the help in advance.

till 23rd January 2009 23:52

Instead of using iptables command which conflicts with the firewall rules you better use the route command to block the IP:

Code:

/sbin/route add -host 198.186.193.54 reject

papokergod 24th January 2009 00:50

thanks, I will try that instead. This will return a server not found correct? Also I would have to add that line to the rc.local file so it stays after a reboot?

falko 24th January 2009 14:10

Quote:

Originally Posted by papokergod (Post 165972)
This will return a server not found correct?

I don't remember the correct message, but yes, it's something like that.

Quote:

Originally Posted by papokergod (Post 165972)
Also I would have to add that line to the rc.local file so it stays after a reboot?

Yes.

papokergod 25th January 2009 14:32

for some reason mod_security is still seeing this ip and its not getting the server not found.

Code:

[Sun Jan 25 00:17:29 2009] [error] [client 198.186.193.54] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "www.xxxxxx.com"] [uri "/"] [unique_id "SXv16X8AAAEAAAlrLuIAAAAG"]
[Sun Jan 25 00:17:29 2009] [error] [client 198.186.193.54] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "48"] [id "960009"] [msg "Request Missing a User Agent Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "www.xxxxxx.com"] [uri "/"] [unique_id "SXv16X8AAAEAAAlrLuIAAAAG"]


falko 26th January 2009 13:44

What's the output of
Code:

route -nee
?

papokergod 26th January 2009 15:56

Segmentation fault

till 27th January 2009 12:08

Is this a physical server or vserver?

papokergod 27th January 2009 15:09

Fedora 10 server setup using the perfect setup, physical server

falko 27th January 2009 19:31

Quote:

Originally Posted by papokergod (Post 166332)
Segmentation fault

Do you still see this after a reboot (without the route command in rc.local)?


All times are GMT +2. The time now is 18:58.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.