Should this work? I want to block these. They keep querying my webserver for stuff. EX: mmbuild7.sv.av.com - - [15/Oct/2002:15:01:23 -0300] "GET /robots.txt HTTP/1.0" 200 20 mmbuild7.sv.av.com - - [15/Oct/2002:15:01:23 -0300] "GET /victoria/May312002/dcp02722.jpg HTTP/1.0" 302 304 mmbuild7.sv.av.com - - [15/Oct/2002:15:01:24 -0300] "GET /photos/May312002/dcp02722.jpg HTTP/1.0" 404 295 My blacklist ############################################################################### #ADDRESS/SUBNET PROTOCOL PORT #av.com crap 64.152.75.0/32 #Googlebot crap 216.239.0.0/32 216.39.0.0/32 209.86.0.0/32 209.73.0.0/32 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Joe Gofton wrote:> Should this work? I want to block these. They keep querying my webserver > for stuff. >Not with the VLSMs that you have specified it won''t. Please review http://www.shorewall.net/shorewall_setup_guide.htm#Subnets -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
/32 is for a single host. /24 is what you want if block .0.0''s On Tue, 15 Oct 2002 15:45:34 -0300 (ADT) "Joe Gofton" <jgofton@danicar.net> wrote:> Should this work? I want to block these. They keep querying my > webserver for stuff. > > EX: > mmbuild7.sv.av.com - - [15/Oct/2002:15:01:23 -0300] "GET /robots.txt > HTTP/1.0" 200 20 > mmbuild7.sv.av.com - - [15/Oct/2002:15:01:23 -0300] "GET > /victoria/May312002/dcp02722.jpg HTTP/1.0" 302 304 > mmbuild7.sv.av.com - - [15/Oct/2002:15:01:24 -0300] "GET > /photos/May312002/dcp02722.jpg HTTP/1.0" 404 295 > > My blacklist > > ##################################################################### > ########### ADDRESS/SUBNET PROTOCOL PORT > #av.com crap > 64.152.75.0/32 > #Googlebot crap > 216.239.0.0/32 > 216.39.0.0/32 > 209.86.0.0/32 > 209.73.0.0/32 > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users-- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com
Crap. Still getting hit. #ADDRESS/SUBNET PROTOCOL PORT #av.com crap 64.152.75.0/24 #Googlebot crap 216.239.0.0/24 216.39.0.0/24 209.86.0.0/24 209.73.0.0/24 mmbuild4.sv.av.com - - [16/Oct/2002:03:33:47 -0300] "GET /robots.txt HTTP/1.0" 200 20 mmbuild4.sv.av.com - - [16/Oct/2002:03:33:48 -0300] "GET /victoria/Feb262002/vic2.jpg HTTP/1.0" 302 300 mmbuild4.sv.av.com - - [16/Oct/2002:03:33:48 -0300] "GET /photos/Feb262002/vic2.jpg HTTP/1.0" 404 291 81.6.196.75 - - [16/Oct/2002:05:02:30 -0300] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3% u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 324 mmbuild8.sv.av.com - - [16/Oct/2002:07:24:59 -0300] "GET /robots.txt HTTP/1.0" 200 20 mmbuild8.sv.av.com - - [16/Oct/2002:07:24:59 -0300] "GET /victoria/Feb182002/Victoria-3.jpg HTTP/1.0" 302 306 mmbuild8.sv.av.com - - [16/Oct/2002:07:24:59 -0300] "GET /photos/Feb182002/Victoria-3.jpg HTTP/1.0" 404 297 216.39.50.98 - - [16/Oct/2002:07:54:31 -0300] "GET /robots.txt HTTP/1.0" 200 20 216.39.50.98 - - [16/Oct/2002:07:54:31 -0300] "GET /victoria/Apr162002/DCP02566.JPG HTTP/1.0" 302 304 216.39.50.98 - - [16/Oct/2002:07:54:32 -0300] "GET /photos/Apr162002/DCP02566.JPG HTTP/1.0" 404 295 172.24.100.59 - - [16/Oct/2002:08:30:40 -0300] "GET /webmail/src/login.php HTTP/1.1" 302 309 mmbuild1.sv.av.com - - [16/Oct/2002:09:03:35 -0300] "GET /robots.txt HTTP/1.0" 200 20 mmbuild1.sv.av.com - - [16/Oct/2002:09:03:36 -0300] "GET /victoria/Apr172002/DCP02573.JPG HTTP/1.0" 302 304 mmbuild1.sv.av.com - - [16/Oct/2002:09:03:36 -0300] "GET /photos/Apr172002/DCP02573.JPG HTTP/1.0" 404 295 ~> /32 is for a single host. /24 is what you want if block .0.0''s > > On Tue, 15 Oct 2002 15:45:34 -0300 (ADT) > "Joe Gofton" <jgofton@danicar.net> wrote: > >> Should this work? I want to block these. They keep querying my >> webserver for stuff. >> >> EX: >> mmbuild7.sv.av.com - - [15/Oct/2002:15:01:23 -0300] "GET /robots.txt >> HTTP/1.0" 200 20 >> mmbuild7.sv.av.com - - [15/Oct/2002:15:01:23 -0300] "GET >> /victoria/May312002/dcp02722.jpg HTTP/1.0" 302 304 >> mmbuild7.sv.av.com - - [15/Oct/2002:15:01:24 -0300] "GET >> /photos/May312002/dcp02722.jpg HTTP/1.0" 404 295 >> >> My blacklist >> >> ##################################################################### >> ########### ADDRESS/SUBNET PROTOCOL PORT >> #av.com crap >> 64.152.75.0/32 >> #Googlebot crap >> 216.239.0.0/32 >> 216.39.0.0/32 >> 209.86.0.0/32 >> 209.73.0.0/32 >> >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE >> >> >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@shorewall.net >> http://www.shorewall.net/mailman/listinfo/shorewall-users > > > -- > Paul Slinski > System Administrator > Global IQX > http://www.globaliqx.com/ > pauls@globaliqx.com > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
> -----Original Message----- > From: Joe Gofton > Sent: Wednesday, October 16, 2002 7:39 AM > Subject: Re: [Shorewall-users] Blacklist > > > Crap. Still getting hit. > > > #ADDRESS/SUBNET PROTOCOL PORT > #av.com crap > 64.152.75.0/24 > #Googlebot crap > 216.239.0.0/24 > 216.39.0.0/24 > 209.86.0.0/24 > 209.73.0.0/24 >Have you added the option "blacklist" to your external interface listing in the shorewall interface file? Also, I simply add the ip address to my blacklist file without the mask for the code red/nimda crap. i.e. 216.39.50.98 81.6.196.75 FWIW: I have added a few network addresses to my blacklist file, but only after quering ICANN, APNIC, etc.. for the ISP''s net block range. Stupid spammers on dialup lines. Steve Cowles
Yes, but I don''t want to have to keep adding IPs. I just want to block the range and not have to worry.>> -----Original Message----- >> From: Joe Gofton >> Sent: Wednesday, October 16, 2002 7:39 AM >> Subject: Re: [Shorewall-users] Blacklist >> >> >> Crap. Still getting hit. >> >> >> #ADDRESS/SUBNET PROTOCOL PORT >> #av.com crap >> 64.152.75.0/24 >> #Googlebot crap >> 216.239.0.0/24 >> 216.39.0.0/24 >> 209.86.0.0/24 >> 209.73.0.0/24 >> > > Have you added the option "blacklist" to your external interface listing > in the shorewall interface file? > > Also, I simply add the ip address to my blacklist file without the mask > for the code red/nimda crap. i.e. > > 216.39.50.98 > 81.6.196.75 > > FWIW: I have added a few network addresses to my blacklist file, but > only after quering ICANN, APNIC, etc.. for the ISP''s net block range. > Stupid spammers on dialup lines. > > Steve Cowles > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
Joe Gofton wrote:> Crap. Still getting hit. > > > #ADDRESS/SUBNET PROTOCOL PORT > #av.com crap > 64.152.75.0/24 > #Googlebot crap > 216.239.0.0/24 > 216.39.0.0/24 > 209.86.0.0/24 > 209.73.0.0/24 > > mmbuild4.sv.av.com - - [16/Oct/2002:03:33:47 -0300] "GET /robots.txt > HTTP/1.0" 200 20You don''t have an entry in your blacklist file that matches the IP of this host (216.39.50.106). The entry 216.39.0.0/24 only covers addresses 216.39.0.0-216.39.0.255. The table in the Setup Guide clearly shows that the size of a /24 network is 255 right? If you want to cover 216.39.*.*, you need /16. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > You don''t have an entry in your blacklist file that matches the IP of > this host (216.39.50.106). The entry 216.39.0.0/24 only covers addresses > 216.39.0.0-216.39.0.255. The table in the Setup Guide clearly shows that > the size of a /24 network is 255 right?Ok -- so it''s 256. :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On 16 Oct 2002 at 9:38, Joe Gofton wrote: Can''t tell you, but I found some antidote against such stuff in the internet: # DROP HTTP packets related to CodeRed and Nimda # viruses silently iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \ --string "/default.ida?" -j DROP iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \ --string ".exe?/c+dir" -j DROP iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \ --string ".exe?/c+tftp" -j DROP Supposidly it imposes a larger load on the system to filter by strings but I don''t know how to measure this .> Crap. Still getting hit. > > > #ADDRESS/SUBNET PROTOCOL PORT > #av.com crap > 64.152.75.0/24 > #Googlebot crap > 216.239.0.0/24 > 216.39.0.0/24 > 209.86.0.0/24 > 209.73.0.0/24 > > mmbuild4.sv.av.com - - [16/Oct/2002:03:33:47 -0300] "GET /robots.txt > HTTP/1.0" 200 20 mmbuild4.sv.av.com - - [16/Oct/2002:03:33:48 -0300] > "GET /victoria/Feb262002/vic2.jpg HTTP/1.0" 302 300 mmbuild4.sv.av.com > - - [16/Oct/2002:03:33:48 -0300] "GET /photos/Feb262002/vic2.jpg > HTTP/1.0" 404 291 81.6.196.75 - - [16/Oct/2002:05:02:30 -0300] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%uc > bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3% > u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 324 > mmbuild8.sv.av.com - - [16/Oct/2002:07:24:59 -0300] "GET /robots.txt > HTTP/1.0" 200 20 mmbuild8.sv.av.com - - [16/Oct/2002:07:24:59 -0300] > "GET /victoria/Feb182002/Victoria-3.jpg HTTP/1.0" 302 306 > mmbuild8.sv.av.com - - [16/Oct/2002:07:24:59 -0300] "GET > /photos/Feb182002/Victoria-3.jpg HTTP/1.0" 404 297 216.39.50.98 - - > [16/Oct/2002:07:54:31 -0300] "GET /robots.txt HTTP/1.0" 200 20 > 216.39.50.98 - - [16/Oct/2002:07:54:31 -0300] "GET > /victoria/Apr162002/DCP02566.JPG HTTP/1.0" 302 304 216.39.50.98 - - > [16/Oct/2002:07:54:32 -0300] "GET /photos/Apr162002/DCP02566.JPG > HTTP/1.0" 404 295 172.24.100.59 - - [16/Oct/2002:08:30:40 -0300] "GET > /webmail/src/login.php HTTP/1.1" 302 309 mmbuild1.sv.av.com - - > [16/Oct/2002:09:03:35 -0300] "GET /robots.txt HTTP/1.0" 200 20 > mmbuild1.sv.av.com - - [16/Oct/2002:09:03:36 -0300] "GET > /victoria/Apr172002/DCP02573.JPG HTTP/1.0" 302 304 mmbuild1.sv.av.com > - - [16/Oct/2002:09:03:36 -0300] "GET /photos/Apr172002/DCP02573.JPG > HTTP/1.0" 404 295 ~ > > > > > /32 is for a single host. /24 is what you want if block .0.0''s > > > > On Tue, 15 Oct 2002 15:45:34 -0300 (ADT) > > "Joe Gofton" <jgofton@danicar.net> wrote: > > > >> Should this work? I want to block these. They keep querying my > >> webserver for stuff. > >> > >> EX: > >> mmbuild7.sv.av.com - - [15/Oct/2002:15:01:23 -0300] "GET > >> /robots.txt HTTP/1.0" 200 20 mmbuild7.sv.av.com - - > >> [15/Oct/2002:15:01:23 -0300] "GET /victoria/May312002/dcp02722.jpg > >> HTTP/1.0" 302 304 mmbuild7.sv.av.com - - [15/Oct/2002:15:01:24 > >> -0300] "GET /photos/May312002/dcp02722.jpg HTTP/1.0" 404 295 > >> > >> My blacklist > >> > >> ##################################################################### > >> ########### ADDRESS/SUBNET PROTOCOL PORT > >> #av.com crap > >> 64.152.75.0/32 > >> #Googlebot crap > >> 216.239.0.0/32 > >> 216.39.0.0/32 > >> 209.86.0.0/32 > >> 209.73.0.0/32 > >> > >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > >> > >> > >> > >> _______________________________________________ > >> Shorewall-users mailing list > >> Shorewall-users@shorewall.net > >> http://www.shorewall.net/mailman/listinfo/shorewall-users > > > > > > -- > > Paul Slinski > > System Administrator > > Global IQX > > http://www.globaliqx.com/ > > pauls@globaliqx.com > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@shorewall.net > > http://www.shorewall.net/mailman/listinfo/shorewall-users > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386
> -----Original Message----- > From: John S. Andersen > Sent: Wednesday, October 16, 2002 3:20 PM > Subject: Re: [Shorewall-users] Blacklist > > > On 16 Oct 2002 at 9:38, Joe Gofton wrote: > > Can''t tell you, but I found some antidote against such stuff in the > internet: > > # DROP HTTP packets related to CodeRed and Nimda > # viruses silently > iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ > -d $IP --dport http -m string \ > --string "/default.ida?" -j DROP > iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ > -d $IP --dport http -m string \ > --string ".exe?/c+dir" -j DROP > iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ > -d $IP --dport http -m string \ > --string ".exe?/c+tftp" -j DROP > > Supposidly it imposes a larger load on the > system to filter by strings but I don''t know how > to measure this . >Watch out using the strings patch with the netfilter package. Especially if your trying to block nimda/code red crap. Before long your apache server will have a bunch of open tcp_syns, without the corresponding close. FWIW: This topic has been discussed on the netfilter list quite extensively. If I remember right, everyone agreed that using some sort of http proxy was a better solution than using the strings patch. My self, I wrote a cronjob that scans my apache logfiles for the code red/nimda signatures and updates the shorewall blacklist file on an hourly basis. Steve Cowles
Can you post your cron job code that does this? Thanks Steve At 03:49 PM 10/16/2002 -0500, you wrote:> > -----Original Message----- > > From: John S. Andersen > > Sent: Wednesday, October 16, 2002 3:20 PM > > Subject: Re: [Shorewall-users] Blacklist > > > > > > On 16 Oct 2002 at 9:38, Joe Gofton wrote: > > > > Can''t tell you, but I found some antidote against such stuff in the > > internet: > > > > # DROP HTTP packets related to CodeRed and Nimda > > # viruses silently > > iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ > > -d $IP --dport http -m string \ > > --string "/default.ida?" -j DROP > > iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ > > -d $IP --dport http -m string \ > > --string ".exe?/c+dir" -j DROP > > iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ > > -d $IP --dport http -m string \ > > --string ".exe?/c+tftp" -j DROP > > > > Supposidly it imposes a larger load on the > > system to filter by strings but I don''t know how > > to measure this . > > > >Watch out using the strings patch with the netfilter package. Especially if >your trying to block nimda/code red crap. Before long your apache server >will have a bunch of open tcp_syns, without the corresponding close. > >FWIW: This topic has been discussed on the netfilter list quite extensively. >If I remember right, everyone agreed that using some sort of http proxy was >a better solution than using the strings patch. My self, I wrote a cronjob >that scans my apache logfiles for the code red/nimda signatures and updates >the shorewall blacklist file on an hourly basis. > >Steve Cowles >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://www.shorewall.net/mailman/listinfo/shorewall-users > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >ow3-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ow3