Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Need help with an iptables rule
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Need help with an iptables rule

HailzHailz Member

I am trying to make a simple rule that will ban an ip after visiting a page on my webserver, let us say "login.php"
If someone was to just visit it 3 times in 5 minutes I want to ban the ip.
Now I have a rule for my ssh server that will ban after 4 attempts.

-A INPUT -p tcp --dport 22 -m recent --update --seconds 300 --hitcount 4 --rttl --name SSH -j DROP  
-A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT

It works perfect. I am trying to apply the rule from this article I found : http://blog.nintechnet.com/how-to-block-w00tw00t-at-isc-sans-dfind-and-other-web-vulnerability-scanners/
I made this rule but it's not working and I cannot figure out why not.

-A INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /login.php' -m recent --update --seconds 300 --hitcount 4 --rttl --name WEBBRUTE -j DROP
-A INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /login.php' -m state --state NEW,ESTABLISHED,RELATED -m recent --set --name WEBBRUTE -j ACCEPT

I want to do this with iptables and not fail2ban. If anyone would be kind enough to try and help me I would appreciate it.

Comments

  • WilliamWilliam Member
    edited January 2016

    FYI, this is highly inefficient and broken by simply using SSL (which this "login" hopefully has)....

  • It's not actually for a login script. I was just using that as an example. I just want to ban anyone that would go to let's say "/image123.jpg" but only after the 3rd attempt

  • Hailz said: I just want to ban anyone that would go to let's say "/image123.jpg" but only after the 3rd attempt

    Likely I'm ignorant of something here, but what would be harmful about that?

    I just saw someone downloading facicon.ico 20 times in a row. I can't imagine why anybody would do that, but I also don't see a problem with it on my end.

  • People like me turn caching off.

    Ole_Juul said: I just saw someone downloading facicon.ico 20 times in a row. I can't imagine why anybody would do that, but I also don't see a problem with it on my end.

  • TrafficTraffic Member
    edited January 2016

    @GM2015 said:
    People like me turn caching off.

    So it was you who made me waste my BW allocation sending you the same stylesheet 10 times!
    You owe me $0.01 in bandwidth.

    Thanked by 1WHT
  • use fail2ban with a proper filter?

  • @Ole_Juul said:

    I just saw someone downloading facicon.ico 20 times in a row. I can't imagine why anybody would do that, but I also don't see a problem with it on my end.

    The problem you face is that you don't see the problem you face when people take actions you can't imagine. Timely security post from Bruce Schneier regarding the normalization of deviance.

    It's not normal to hit the same URL 20 times in quick succession, and if it were a 404 (assuming that "facicon" is not a typo) for something that never existed, you'd do well to ban the IP until you've figured it out (e.g., it's associated with additional page loads from the cache-less @GM2015). Otherwise, the next probe could be for something more vital.

  • The problem you face is that you don't see the problem you face when people take actions you can't imagine. . . . It's not normal to hit the same URL 20 times in quick succession,

    Indeed. I'm guessing it was a screwed-up bot. Unfortunately I can't ban IP addresses because being a .onion site there aren't any.

    impossiblystupid said: Otherwise, the next probe could be for something more vital.

    Like secret_key, I get those once in a while from somebody hoping that I've got it misconfigured. What I've done is put a link to a small file inside a 1px image. Only a bot will click on that and it gives me a bit of an idea, but not much.

  • @Hailz said:
    I made this rule but it's not working and I cannot figure out why not.

    I tested your rule on one of my sites and it worked. Did you check iptables to ensure the packets were actually being registered under your rule?
    iptables -L -v -n

Sign In or Register to comment.