One day, at work, I took a look through the logs and noticed that one of our servers was being attacked by a whole bunch of different IP addresses. They were not continuous attacks, really, only happening once a day at a certain time. My guess is, it is an automated script just doing its thing. Even though, the attacks they were doing were not going to do anything to the system, It would be best if I prevented their scripts from even returning any positive error codes. So, I decided to set up some security up in various places.
The first step I did was I created two rules in iptables that would drop all packets if more then 8 NEW state packets are sent within 10 seconds. This was a very common thing, in fact, for about 5 minutes, there were more then 100 page requests from their scanner.
iptables -I INPUT -i eth0 -p tcp –dport 80 -m state –state NEW -m recent –set –name DEAULT
iptables -I INPUT -i eth0 -p tcp –dport 80 -m state –state NEW –m recent –update –seconds 10 –hitcount 8 –rttl –name DEFAULT -j DROP
This seemed to slowed their scanning down, however, did not prevent it. On to the second method.
After looking in the httpd access.log file, The scanner they are using has its own HTTP_USER_AGENT variable. Since we have htaccess in place to restrict access to certain directories, I figured I would place some rules in the htaccess file, using the mod_rewrite module to restrict their access.
RewriteCond %{HTTP_USER_AGENT} ^ZmEu
RewriteRule ^.*$ - [F]
RewriteCond %{HTTP_USER_AGENT} ^Morfeus
RewriteRule ^.*$ - [F]
RewriteCond %{HTTP_USER_AGENT} ^Toata
RewriteRule ^.*$ - [F]
This seemed to get rid of the ZmEu, Morfeus and Toata scripts from accessing the site, however, there was another problem that came up. Someone was using our site as a sort of proxy, accessing certain files from some other website. Since there seems to be a lot of traffic from Korea, I decided to just block the entire subnet. My companies handles local news papers, not really something people in Korea would be interested in.
iptables -I INPUT -i eth0 -s 218.38.12.0/24 -j DROP
This works, but if I restart the server, the rules get flushed, so I need to create a way for the rules to get inserted on start up.
mkdir /etc/iptables
iptables-save > /etc/iptables/iptables.rules
echo “iptables-restore < /etc/iptables/iptables.rules” >> /etc/rc.d/rc.local
After a few days of watching the logs, there does not seem to be any more scripted attacks coming from Korea anymore.
