Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    Need help with an iptables rule
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    Need help with an iptables rule

    HailzHailz Member

    I am trying to make a simple rule that will ban an ip after visiting a page on my webserver, let us say "login.php"
    If someone was to just visit it 3 times in 5 minutes I want to ban the ip.
    Now I have a rule for my ssh server that will ban after 4 attempts.

    -A INPUT -p tcp --dport 22 -m recent --update --seconds 300 --hitcount 4 --rttl --name SSH -j DROP  
    -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
    

    It works perfect. I am trying to apply the rule from this article I found : http://blog.nintechnet.com/how-to-block-w00tw00t-at-isc-sans-dfind-and-other-web-vulnerability-scanners/
    I made this rule but it's not working and I cannot figure out why not.

    -A INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /login.php' -m recent --update --seconds 300 --hitcount 4 --rttl --name WEBBRUTE -j DROP
    -A INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /login.php' -m state --state NEW,ESTABLISHED,RELATED -m recent --set --name WEBBRUTE -j ACCEPT
    

    I want to do this with iptables and not fail2ban. If anyone would be kind enough to try and help me I would appreciate it.

    Comments

    • WilliamWilliam Member, Provider
      edited January 2016

      FYI, this is highly inefficient and broken by simply using SSL (which this "login" hopefully has)....

    • It's not actually for a login script. I was just using that as an example. I just want to ban anyone that would go to let's say "/image123.jpg" but only after the 3rd attempt

    • Hailz said: I just want to ban anyone that would go to let's say "/image123.jpg" but only after the 3rd attempt

      Likely I'm ignorant of something here, but what would be harmful about that?

      I just saw someone downloading facicon.ico 20 times in a row. I can't imagine why anybody would do that, but I also don't see a problem with it on my end.

    • People like me turn caching off.

      Ole_Juul said: I just saw someone downloading facicon.ico 20 times in a row. I can't imagine why anybody would do that, but I also don't see a problem with it on my end.

      Go give Vultr(referral) a try. | GNU/Linux http://debian.org

    • TrafficTraffic Member
      edited January 2016

      @GM2015 said:
      People like me turn caching off.

      So it was you who made me waste my BW allocation sending you the same stylesheet 10 times!
      You owe me $0.01 in bandwidth.

      Thanked by 1WHT

      vrtz.net Cheap VPS Servers Offers - now with EXCLUSIVE offers! (all links are aff links)
      $12/year HostUS Deal (768MB RAM+768MB vSwap)$11.29/year GestionDBI Deal (768MB RAM)

    • use fail2ban with a proper filter?

      most recommended Provider: First-Root KVM Power-Edition /w SSD
      UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

    • @Ole_Juul said:

      I just saw someone downloading facicon.ico 20 times in a row. I can't imagine why anybody would do that, but I also don't see a problem with it on my end.

      The problem you face is that you don't see the problem you face when people take actions you can't imagine. Timely security post from Bruce Schneier regarding the normalization of deviance.

      It's not normal to hit the same URL 20 times in quick succession, and if it were a 404 (assuming that "facicon" is not a typo) for something that never existed, you'd do well to ban the IP until you've figured it out (e.g., it's associated with additional page loads from the cache-less @GM2015). Otherwise, the next probe could be for something more vital.

      I am Impossibly Stupid. Hailed by @jarland as an "incessantly belligerent buffoon." Available for parties. Book early to avoid disappointment.

    • The problem you face is that you don't see the problem you face when people take actions you can't imagine. . . . It's not normal to hit the same URL 20 times in quick succession,

      Indeed. I'm guessing it was a screwed-up bot. Unfortunately I can't ban IP addresses because being a .onion site there aren't any.

      impossiblystupid said: Otherwise, the next probe could be for something more vital.

      Like secret_key, I get those once in a while from somebody hoping that I've got it misconfigured. What I've done is put a link to a small file inside a 1px image. Only a bot will click on that and it gives me a bit of an idea, but not much.

    • @Hailz said:
      I made this rule but it's not working and I cannot figure out why not.

      I tested your rule on one of my sites and it worked. Did you check iptables to ensure the packets were actually being registered under your rule?
      iptables -L -v -n

    Sign In or Register to comment.