Iptables, bastille, ISPConfig setup

Discussion in 'Installation/Configuration' started by papokergod, Jan 23, 2009.

  1. papokergod

    papokergod New Member

    I have a Fedora 10 server setup using the perfect setup, and have a few questions. (disabled Linux firewall/SELinux)

    I have added a rule " Iptables -I INPUT -s 198.186.193.54 -j DROP " to block an undesirable bot/spider since mod_security "spams" my logs because it blocks it due to no header reply, browser version etc.

    However, upon its return usually once a day, Iptables does not seem to "ghost" my server as mod_security still sees and returns the 403 error to the bot.

    if it helps

    running the command " ps -ef | grep iptables " returns root 8200 7827 0 09:51 pts/0 00:00:00 grep iptables

    running the command " iptables -L INPUT " returns
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    [COLOR="Red"]DROP       all  --  ashburn.notadot.com  anywhere[/COLOR]
    DROP       tcp  --  anywhere             loopback/8
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     all  --  anywhere             anywhere
    DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    It seems once I have restart the firewall through ISPConfig the command " iptables -L INPUT " returns
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    DROP       tcp  --  anywhere             loopback/8
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     all  --  anywhere             anywhere
    DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    PUB_IN     all  --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere
    
    notice the line DROP all -- ashburn.notadot.com anywhere is removed loosing my iptables rules allowing notadot back in.

    Thanks for the help in advance.
     
  2. till

    till Super Moderator

    Instead of using iptables command which conflicts with the firewall rules you better use the route command to block the IP:

    Code:
    /sbin/route add -host 198.186.193.54 reject
     
  3. papokergod

    papokergod New Member

    thanks, I will try that instead. This will return a server not found correct? Also I would have to add that line to the rc.local file so it stays after a reboot?
     
    Last edited: Jan 23, 2009
  4. falko

    falko Super Moderator

    I don't remember the correct message, but yes, it's something like that.

    Yes.
     
  5. papokergod

    papokergod New Member

    for some reason mod_security is still seeing this ip and its not getting the server not found.

    Code:
    [Sun Jan 25 00:17:29 2009] [error] [client 198.186.193.54] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "www.xxxxxx.com"] [uri "/"] [unique_id "SXv16X8AAAEAAAlrLuIAAAAG"]
    [Sun Jan 25 00:17:29 2009] [error] [client 198.186.193.54] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "48"] [id "960009"] [msg "Request Missing a User Agent Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "www.xxxxxx.com"] [uri "/"] [unique_id "SXv16X8AAAEAAAlrLuIAAAAG"]
    
     
  6. falko

    falko Super Moderator

    What's the output of
    Code:
    route -nee
    ?
     
  7. papokergod

    papokergod New Member

    Segmentation fault
     
  8. till

    till Super Moderator

    Is this a physical server or vserver?
     
  9. papokergod

    papokergod New Member

    Fedora 10 server setup using the perfect setup, physical server
     
  10. falko

    falko Super Moderator

    Do you still see this after a reboot (without the route command in rc.local)?
     
  11. papokergod

    papokergod New Member

    same error with route command in rc.local

    rc.local file:
    Code:
    #!/bin/sh
    #
    # This script will be executed *after* all the other init scripts.
    # You can put your own initialization stuff in here if you don't
    # want to do the full Sys V style init stuff.
    
    touch /var/lock/subsys/local
    /sbin/route add -host 198.186.193.54 reject
    
    
     
  12. falko

    falko Super Moderator

    And without the route command in rc.local?
     
  13. papokergod

    papokergod New Member

    sorry missunderstood, after removing the line from rc.local, rebooting and running the command: route -nee

    still have the Segmentation fault

    after running the command from putty i ran it directly from the server here is more info:

    Code:
    
    route[2619]:segfault at b07f6678 ip 007d6dd7 sp bfae5808 error 6 in ld-2.9.so[7d4000+20000]
    
    
    
     
    Last edited: Jan 28, 2009
  14. falko

    falko Super Moderator

    That's strange. Seems as if something's wrong with the installation. IF this is an empty system, I'd set it up from scratch again.
     
  15. papokergod

    papokergod New Member

    not really an option, i have reinstalled iproute, glibc, did a yum update and still same error.

    Could this be a compatibility issue with the eth0 driver?
     
    Last edited: Jan 30, 2009
  16. falko

    falko Super Moderator

    Segmentation faults can be caused by hardware errors, so that's possible. You can try to replace the NIC with another one.
     
  17. papokergod

    papokergod New Member

    Just so I understand this (which I think I do), Segmentation faults are the windows equivalent to the BSOD right?
     
  18. falko

    falko Super Moderator

    Not really - the rest of the system is still working.
     

Share This Page