Route block CONNECT requisitions for apache

Route block CONNECT requisitions for apache

[Leonardo Marques]

Hello,

I have a apache webserver behind a iptables firewall, and some people
are trying to abuse from my server probably for spam. I have this
information on the log of the apache:

219.80.160.238 - - [27/Nov/2005:08:56:13 -0200] "CONNECT
64.161.246.99:25 HTTP/1.0" 200 6446

I have a lot of this lines, with some diferent IPs, I already blocked
all those IPs.

I want create a rule that block all those type of connections, someone
know how can i do?

The ideia ir more or less it:

"everything witch comes for the htttp_port wich contain 'connect type
connections' must be deny or droped'"

Thanks for attention ;)

--
------------------------------
Leonardo Marques
http://www.analyx.org
------------------------------

RE: Route block CONNECT requisitions for apache

[Rob Sterenborg]

> I have a apache webserver behind a iptables firewall, and some people
> are trying to abuse from my server probably for spam. I have this
> information on the log of the apache:
> 
> 219.80.160.238 - - [27/Nov/2005:08:56:13 -0200] "CONNECT
> 64.161.246.99:25 HTTP/1.0" 200 6446
> 
> I have a lot of this lines, with some diferent IPs, I already blocked
> all those IPs. 
> 
> I want create a rule that block all those type of connections,
> someone know how can i do? 

You say you already block these connections. So why do you ask ?

- If you have a lot of IP addresses : http://ipset.netfilter.org/ for
creating a set of ip addresses to match
- Use Squid as reverse proxy

> The ideia ir more or less it:
> 
> "everything witch comes for the htttp_port wich contain 'connect type
> connections' must be deny or droped'"

You want content filtering and Netfilter is no good for that. You could
use the string match, but if the string you want to match is divided
over 2 (or more) packets, it won't work.
Use Squid as reverse proxy to block something like this.


Gr,
Rob

Re: Route block CONNECT requisitions for apache

[Leonardo Marques]

On 11/27/05, Rob Sterenborg <rob@sterenborg.info> wrote:
> > I have a apache webserver behind a iptables firewall, and some people
> > are trying to abuse from my server probably for spam. I have this
> > information on the log of the apache:
> >
> > 219.80.160.238 - - [27/Nov/2005:08:56:13 -0200] "CONNECT
> > 64.161.246.99:25 HTTP/1.0" 200 6446
> >
> > I have a lot of this lines, with some diferent IPs, I already blocked
> > all those IPs.
> >
> > I want create a rule that block all those type of connections,
> > someone know how can i do?
>
> You say you already block these connections. So why do you ask ?

I asked because i did it manually i want some rule to drop this
connections automaticaly.

>
> - If you have a lot of IP addresses : http://ipset.netfilter.org/ for
> creating a set of ip addresses to match

Ok, i'll read this URL.

> - Use Squid as reverse proxy
>
> > The ideia ir more or less it:
> >
> > "everything witch comes for the htttp_port wich contain 'connect type
> > connections' must be deny or droped'"
>
> You want content filtering and Netfilter is no good for that. You could
> use the string match, but if the string you want to match is divided
> over 2 (or more) packets, it won't work.
> Use Squid as reverse proxy to block something like this.

I dont want use squid, but thanks for the idea.

[]s

>
>
> Gr,
> Rob
>
>
>


--
------------------------------
Leonardo Marques
http://www.analyx.org
------------------------------

Re: Route block CONNECT requisitions for apache

[Georgi Alexandrov]

Leonardo Marques wrote:

>Hello,
>
>I have a apache webserver behind a iptables firewall, and some people
>are trying to abuse from my server probably for spam. I have this
>information on the log of the apache:
>
>219.80.160.238 - - [27/Nov/2005:08:56:13 -0200] "CONNECT
>64.161.246.99:25 HTTP/1.0" 200 6446
>
>I have a lot of this lines, with some diferent IPs, I already blocked
>all those IPs.
>
>I want create a rule that block all those type of connections, someone
>know how can i do?
>
>The ideia ir more or less it:
>
>"everything witch comes for the htttp_port wich contain 'connect type
>connections' must be deny or droped'"
>
>  
>
What's the point in doing this? As those are no harm to your system.
Or you like to complex your life as much as possible and then say: "oh, 
security isn't for everyone, but i'm managing somehow!"
Perhaps you should leave those and deal with something more useful.

regards,
Georgi Alexandrov

Re: Route block CONNECT requisitions for apache

[Leonardo Marques]

On 11/27/05, Georgi Alexandrov <georgi.alexandrov@gmail.com> wrote:
> Leonardo Marques wrote:
>
> >Hello,
> >
> >I have a apache webserver behind a iptables firewall, and some people
> >are trying to abuse from my server probably for spam. I have this
> >information on the log of the apache:
> >
> >219.80.160.238 - - [27/Nov/2005:08:56:13 -0200] "CONNECT
> >64.161.246.99:25 HTTP/1.0" 200 6446
> >
> >I have a lot of this lines, with some diferent IPs, I already blocked
> >all those IPs.
> >
> >I want create a rule that block all those type of connections, someone
> >know how can i do?
> >
> >The ideia ir more or less it:
> >
> >"everything witch comes for the htttp_port wich contain 'connect type
> >connections' must be deny or droped'"
> >
> >
> >
> What's the point in doing this? As those are no harm to your system.
> Or you like to complex your life as much as possible and then say: "oh,
> security isn't for everyone, but i'm managing somehow!"
> Perhaps you should leave those and deal with something more useful.
>

Whats the problem to search a finally solution for a problem!? I cant
understand
why you are so brave with it. I thought here is a place to discuss
about security with Iptables. :/

Whats the problem to dont have free time to be reading the apache log
and be blocking manually a lot of ips?! Whats the problem to find a
rule wich solve this problem for me?!

Exactly, i need it to be automated, to have time to do another things.

Georgi, if you dont want help... just dont say nothing, its better for
me, for you, for everybody.

> regards,
> Georgi Alexandrov
>
>

--
------------------------------
Leonardo Marques
http://www.analyx.org
------------------------------

Re: Route block CONNECT requisitions for apache

[Georgi Alexandrov]

Leonardo Marques wrote:

>On 11/27/05, Georgi Alexandrov <georgi.alexandrov@gmail.com> wrote:
>  
>
>>Leonardo Marques wrote:
>>
>>    
>>
>>>Hello,
>>>
>>>I have a apache webserver behind a iptables firewall, and some people
>>>are trying to abuse from my server probably for spam. I have this
>>>information on the log of the apache:
>>>
>>>219.80.160.238 - - [27/Nov/2005:08:56:13 -0200] "CONNECT
>>>64.161.246.99:25 HTTP/1.0" 200 6446
>>>
>>>I have a lot of this lines, with some diferent IPs, I already blocked
>>>all those IPs.
>>>
>>>I want create a rule that block all those type of connections, someone
>>>know how can i do?
>>>
>>>The ideia ir more or less it:
>>>
>>>"everything witch comes for the htttp_port wich contain 'connect type
>>>connections' must be deny or droped'"
>>>
>>>
>>>
>>>      
>>>
>>What's the point in doing this? As those are no harm to your system.
>>Or you like to complex your life as much as possible and then say: "oh,
>>security isn't for everyone, but i'm managing somehow!"
>>Perhaps you should leave those and deal with something more useful.
>>
>>    
>>
>
>Whats the problem to search a finally solution for a problem!? I cant
>understand
>why you are so brave with it. I thought here is a place to discuss
>about security with Iptables. :/
>
>Whats the problem to dont have free time to be reading the apache log
>and be blocking manually a lot of ips?! Whats the problem to find a
>rule wich solve this problem for me?!
>
>Exactly, i need it to be automated, to have time to do another things.
>
>Georgi, if you dont want help... just dont say nothing, its better for
>me, for you, for everybody.
>
>  
>
>>regards,
>>Georgi Alexandrov
>>
>>
>>    
>>
>
>--
>------------------------------
>Leonardo Marques
>http://www.analyx.org
>------------------------------
>
>
>  
>
I don't see a problem, that's why i'm saying this.
You are getting scanned about open proxy ability, e.g. you're being 
scanned for a open proxy listening on port 80 which you actually don't 
have and use on port 80.
why do you need to block these then? just to complex your life (wife) 
situation?