Iptables, bastille, ISPConfig setup

[papokergod]

I have a Fedora 10 server setup using the perfect setup, and have a few questions. (disabled Linux firewall/SELinux)

I have added a rule " Iptables -I INPUT -s 198.186.193.54 -j DROP " to block an undesirable bot/spider since mod_security "spams" my logs because it blocks it due to no header reply, browser version etc.

However, upon its return usually once a day, Iptables does not seem to "ghost" my server as mod_security still sees and returns the 403 error to the bot.

if it helps

running the command " ps -ef | grep iptables " returns root 8200 7827 0 09:51 pts/0 00:00:00 grep iptables

running the command " iptables -L INPUT " returns

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  ashburn.notadot.com  anywhere
DROP       tcp  --  anywhere             loopback/8
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

It seems once I have restart the firewall through ISPConfig the command " iptables -L INPUT " returns

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             loopback/8
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

notice the line DROP all -- ashburn.notadot.com anywhere is removed loosing my iptables rules allowing notadot back in.

Thanks for the help in advance.

[till]

Instead of using iptables command which conflicts with the firewall rules you better use the route command to block the IP:

Code:

/sbin/route add -host 198.186.193.54 reject

[papokergod]

thanks, I will try that instead. This will return a server not found correct? Also I would have to add that line to the rc.local file so it stays after a reboot?

[falko]

Quote:

Originally Posted by papokergod

This will return a server not found correct?

I don't remember the correct message, but yes, it's something like that.

Quote:

Originally Posted by papokergod

Also I would have to add that line to the rc.local file so it stays after a reboot?

Yes.

[papokergod]

for some reason mod_security is still seeing this ip and its not getting the server not found.

Code:

[Sun Jan 25 00:17:29 2009] [error] [client 198.186.193.54] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "www.xxxxxx.com"] [uri "/"] [unique_id "SXv16X8AAAEAAAlrLuIAAAAG"]
[Sun Jan 25 00:17:29 2009] [error] [client 198.186.193.54] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "48"] [id "960009"] [msg "Request Missing a User Agent Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "www.xxxxxx.com"] [uri "/"] [unique_id "SXv16X8AAAEAAAlrLuIAAAAG"]

[falko]

What's the output of

Code:

route -nee

?