* [Fwd: [suse-security] iptables rules for HTML Form Protocol Attack]
@ 2003-07-10 8:33 Ruprecht Helms
2003-07-14 9:54 ` Chris Wilson
0 siblings, 1 reply; 2+ messages in thread
From: Ruprecht Helms @ 2003-07-10 8:33 UTC (permalink / raw)
To: netfilter
Possible here a better list for responses.
How is to write a rule for that problem by hand.
Regards,
Ruprecht
-----Forwarded Message-----
> From: Muammer Arslan <Muammer.Arslan@experteach.de>
> To: suse-security@suse.com
> Subject: [suse-security] iptables rules for HTML Form Protocol Attack
> Date: 10 Jul 2003 10:14:34 +0200
>
> Hi All,
>
> Last days I often see below messages in Apache log files:
> 1.1.1.1 - - [09/Jul/2003:17:32:00+0200] "POST http://11.1.106.18:25/ HTTP/1.1" 200 475 "-" "-"
>
> I suspect some kind of HTML protocol attack and want to stop this. Can I
> do it somehow with IP-Tables as it is already installed on the server or
> do you have any other ideas? I use SuSE 8.1 and SuSEfirewall2 with SuSEfirewall2-custom rules.
>
> Thanks for your replies.
>
>
> Muammer
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Fwd: [suse-security] iptables rules for HTML Form Protocol Attack]
2003-07-10 8:33 [Fwd: [suse-security] iptables rules for HTML Form Protocol Attack] Ruprecht Helms
@ 2003-07-14 9:54 ` Chris Wilson
0 siblings, 0 replies; 2+ messages in thread
From: Chris Wilson @ 2003-07-14 9:54 UTC (permalink / raw)
To: Ruprecht Helms; +Cc: Muammer.Arslan, netfilter
Hi all,
> > From: Muammer Arslan <Muammer.Arslan@experteach.de>
[...]
> > Last days I often see below messages in Apache log files:
> > 1.1.1.1 - - [09/Jul/2003:17:32:00+0200] "POST http://11.1.106.18:25/ HTTP/1.1" 200 475 "-" "-"
> >
> > I suspect some kind of HTML protocol attack and want to stop this.
> > Can I do it somehow with IP-Tables as it is already installed on the
> > server or do you have any other ideas? I use SuSE 8.1 and
> > SuSEfirewall2 with SuSEfirewall2-custom rules.
iptables is a firewall which works at the IP packet layer, while this is
an attack against the HTTP protocol layer. Specifically, the attacker is
asking a proxy server to connect to a mail server, which it should never
allow.
If you can block all external access to your proxy server, you should do
so, and this can be done at the IP layer using iptables. For example,
assuming that your firewall and proxy server are separate
machines, and that the attacker is outside your network and the
proxy is inside, you can add a rule to block access to the proxy with a
command like this on the firewall:
iptables -I FORWARD -i <external-interface> -d <proxy-server> \
-p tcp --dport <proxy-port> -j DROP
But you would still be better off (more secure) if you deny access to all
services (including the proxy) which you have not explicitly decided to
allow.
If you must provide public access to your proxy server (which is a VERY
bad idea in my opinion), then it would be easier and more secure for you
to configure the proxy server not to allow POST and CONNECT requests to
ports other than 80 (and possibly 443).
The only way to do this with iptables is to abuse the string match (from
patch-o-matic) to detect and drop packets which contain the words "POST "
and ":25". This will cause you false positives and is easy to bypass, so I
don't recommend it.
Cheers, Chris.
--
___ __ _
/ __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-07-14 9:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-07-10 8:33 [Fwd: [suse-security] iptables rules for HTML Form Protocol Attack] Ruprecht Helms
2003-07-14 9:54 ` Chris Wilson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.