[Fwd: [suse-security] iptables rules for HTML Form Protocol Attack]

[Fwd: [suse-security] iptables rules for HTML Form Protocol Attack]

[Ruprecht Helms]

Possible here a better list for responses.
How is to write a rule for that problem by hand.

Regards,
Ruprecht

-----Forwarded Message-----

> From: Muammer Arslan <Muammer.Arslan@experteach.de>
> To: suse-security@suse.com
> Subject: [suse-security] iptables rules for HTML Form Protocol Attack
> Date: 10 Jul 2003 10:14:34 +0200
> 
> Hi All,
> 
> Last days I often see below messages in Apache log files:
> 1.1.1.1         - - [09/Jul/2003:17:32:00+0200] "POST http://11.1.106.18:25/ HTTP/1.1" 200 475 "-" "-"
>  
> I suspect some kind of HTML protocol attack and want to stop this. Can I 
> do it somehow with IP-Tables as it is already installed on the server or 
> do you have any other ideas? I use SuSE 8.1 and SuSEfirewall2 with SuSEfirewall2-custom rules.
>  
> Thanks for your replies.
>  
> 
> Muammer

Re: [Fwd: [suse-security] iptables rules for HTML Form Protocol Attack]

[Chris Wilson]

Hi all,

> > From: Muammer Arslan <Muammer.Arslan@experteach.de>
[...]
> > Last days I often see below messages in Apache log files:
> > 1.1.1.1         - - [09/Jul/2003:17:32:00+0200] "POST http://11.1.106.18:25/ HTTP/1.1" 200 475 "-" "-"
> >
> > I suspect some kind of HTML protocol attack and want to stop this.
> > Can I do it somehow with IP-Tables as it is already installed on the
> > server or do you have any other ideas? I use SuSE 8.1 and
> > SuSEfirewall2 with SuSEfirewall2-custom rules.

iptables is a firewall which works at the IP packet layer, while this is
an attack against the HTTP protocol layer. Specifically, the attacker is
asking a proxy server to connect to a mail server, which it should never
allow.

If you can block all external access to your proxy server, you should do
so, and this can be done at the IP layer using iptables. For example,
assuming that your firewall and proxy server are separate 
machines, and that the attacker is outside your network and the 
proxy is inside, you can add a rule to block access to the proxy with a 
command like this on the firewall:

  iptables -I FORWARD -i <external-interface> -d <proxy-server> \
	-p tcp --dport <proxy-port> -j DROP

But you would still be better off (more secure) if you deny access to all 
services (including the proxy) which you have not explicitly decided to 
allow.

If you must provide public access to your proxy server (which is a VERY 
bad idea in my opinion), then it would be easier and more secure for you 
to configure the proxy server not to allow POST and CONNECT requests to 
ports other than 80 (and possibly 443). 

The only way to do this with iptables is to abuse the string match (from 
patch-o-matic) to detect and drop packets which contain the words "POST " 
and ":25". This will cause you false positives and is easy to bypass, so I 
don't recommend it.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |