CentOS - Apr 2020 - Netfilter fails to filter traffic from a netblock?

Hi Everyone,

We rent a CentOS 7 VM from GoDaddy. We received a warning about
excessive cpu usage, and a threat to cancel our service. We tracked it
down to Apache and someone hammering our web server.

The offending host is 59.64.129.175. To err on the side of caution we
attempted to block the entire netblock. According to whois data,
that's 59.64.128.0-59.64.159.255.

    iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP

After reboot cpu usage is still high and access_log still shows
useless requests from the host:

    59.64.129.175 - - [19/Apr/2020:08:53:53 -0400] "GET
    /w/index.php?title=Special:WhatLinksHere&limit=50&
    printable=yes HTTP/1.1" 301 311

I seem to be missing something. That's not surprising since I am not a
server administrator.

How do I filter the unwanted traffic from the netblock?

Thanks in advance.

On 19/04/2020 14:58, Jeffrey Walton wrote:

Hi Jeffrey,
> The offending host is 59.64.129.175. To err on the side of caution we
> attempted to block the entire netblock. According to whois data,
> that's 59.64.128.0-59.64.159.255.
> 
>     iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP
> 
> After reboot cpu usage is still high and access_log still shows
> useless requests from the host:
Did you actually arrange for your iptables rule to be reinstated at boot?

If you just configure a rule as above, but don't save it, it will
disappear ar reboot.

Regards,
Anand

On Sun, Apr 19, 2020 at 9:26 AM Anand Buddhdev <anandb at ripe.net>
wrote:
>
> On 19/04/2020 14:58, Jeffrey Walton wrote:
>
> Hi Jeffrey,
>
> > The offending host is 59.64.129.175. To err on the side of caution we
> > attempted to block the entire netblock. According to whois data,
> > that's 59.64.128.0-59.64.159.255.
> >
> >     iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP
> >
> > After reboot cpu usage is still high and access_log still shows
> > useless requests from the host:
>
> Did you actually arrange for your iptables rule to be reinstated at boot?
>
> If you just configure a rule as above, but don't save it, it will
> disappear ar reboot.
Ugh, thanks. I did not realize the changes were only temporary.

What is the recommended way to permanently add a ban rule?

Thanks again.

On Sun, Apr 19, 2020 at 8:58 AM Jeffrey Walton <noloader at gmail.com>
wrote:
>
> Hi Everyone,
>
> We rent a CentOS 7 VM from GoDaddy. We received a warning about
> excessive cpu usage, and a threat to cancel our service. We tracked it
> down to Apache and someone hammering our web server.
>
> The offending host is 59.64.129.175. To err on the side of caution we
> attempted to block the entire netblock. According to whois data,
> that's 59.64.128.0-59.64.159.255.
>
>     iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP
>
> After reboot cpu usage is still high and access_log still shows
> useless requests from the host:
>
>     59.64.129.175 - - [19/Apr/2020:08:53:53 -0400] "GET
>     /w/index.php?title=Special:WhatLinksHere&limit=50&
>     printable=yes HTTP/1.1" 301 311
>
> I seem to be missing something. That's not surprising since I am not a
> server administrator.
>
> How do I filter the unwanted traffic from the netblock?
Thanks Mike and Mark.

This is where I am at... I'm following
https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/
because GoDaddy has not published any documents on this (other then
use cPanel, which I don't have access to).

The rule is persisted but it is being ignored.

# iptables -L | grep policy
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

# iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP
# /sbin/service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables: [OK]

<reboot, top still shows high usage, logs still show requests from
offender>

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state
NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             state
NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state
NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere
reject-with icmp-host-prohibited
DROP       tcp  --  59.64.128.0/19       anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere
reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

We really need the server to honor this rule. How do we get CentOS to
use this rule?

Jeff

Am 19.04.2020 um 14:58 schrieb Jeffrey Walton:
> The offending host is 59.64.129.175. To err on the side of caution we
> attempted to block the entire netblock. According to whois data,
> that's 59.64.128.0-59.64.159.255.
> 
>      iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP
There was no comment so far that the order of the iptables rules 
matters. With your command you append to the existing rules. If would be 
without effect in case there is a rule in order before which permits the 
traffic you try to block.
> After reboot cpu usage is still high and access_log still shows
> useless requests from the host:
> 
>      59.64.129.175 - - [19/Apr/2020:08:53:53 -0400] "GET
>      /w/index.php?title=Special:WhatLinksHere&limit=50&
>      printable=yes HTTP/1.1" 301 311
> 
> I seem to be missing something. That's not surprising since I am not a
> server administrator.
> 
> How do I filter the unwanted traffic from the netblock?
The iptables rules should be saved in /etc/sysconfig/iptables to be read 
in at boot time (or when the iptables services gets restarted).

Alexander

Insert the rule early in the chain. To determine where, I use this command:

iptables -L INPUT -v -n --line-numbers

You should put the new rule before rule 1, I think, so it takes effect 
before even the ESTABLISHED rule from the connection tracker.

Use this:

iptables -I INPUT 1 -s 59.64.128.0/19 -p TCP -j DROP

If you think you'll build up a list of attackers, you can use an ipset, 
instead. I use firewalld for my own firewalls, which has integral support 
for saving and restoring ipsets. You can use a firewalld "direct" rule
to
insert an ipset-based ban before other rules in the INPUT chain.