Re: [Fwd: [suse-security] iptables rules for HTML Form ProtocolAttack]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

> > From: Muammer Arslan <Muammer.Arslan@xxxxxxxxxxxxx>
[...]
> > Last days I often see below messages in Apache log files:
> > 1.1.1.1         - - [09/Jul/2003:17:32:00+0200] "POST http://11.1.106.18:25/ HTTP/1.1" 200 475 "-" "-"
> >
> > I suspect some kind of HTML protocol attack and want to stop this.
> > Can I do it somehow with IP-Tables as it is already installed on the
> > server or do you have any other ideas? I use SuSE 8.1 and
> > SuSEfirewall2 with SuSEfirewall2-custom rules.

iptables is a firewall which works at the IP packet layer, while this is
an attack against the HTTP protocol layer. Specifically, the attacker is
asking a proxy server to connect to a mail server, which it should never
allow.

If you can block all external access to your proxy server, you should do
so, and this can be done at the IP layer using iptables. For example,
assuming that your firewall and proxy server are separate 
machines, and that the attacker is outside your network and the 
proxy is inside, you can add a rule to block access to the proxy with a 
command like this on the firewall:

  iptables -I FORWARD -i <external-interface> -d <proxy-server> \
	-p tcp --dport <proxy-port> -j DROP

But you would still be better off (more secure) if you deny access to all 
services (including the proxy) which you have not explicitly decided to 
allow.

If you must provide public access to your proxy server (which is a VERY 
bad idea in my opinion), then it would be easier and more secure for you 
to configure the proxy server not to allow POST and CONNECT requests to 
ports other than 80 (and possibly 443). 

The only way to do this with iptables is to abuse the string match (from 
patch-o-matic) to detect and drop packets which contain the words "POST " 
and ":25". This will cause you false positives and is easy to bypass, so I 
don't recommend it.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux