This is a continuation to my previous post on Dealing With Korean Hackers.
When I last left off, I started banning all IP addresses with iptables because the mod-rewrite utility in apache was not giving me the result I wanted. The problem I had with mod-rewrite was that the request was still being made, which meant that my log files were still getting flooded with page requests. I wanted to remove those entries from the logs entirely and to do that, I needed to stop them at the network level instead of the application level. So, back I go to iptables.
There is one little known feature with iptables that lets you scan the packets for a given string and allows you to determine what you want your firewall to do with it. Since I started modifying the ipchains, I decided to make it a little more modular and systematic. To achieve this, we will create two new chains.
iptables -N BANNED
iptables -N IPBAN
I will be using the BANNED chain to match all strings in the incoming packets. IPBAN will be used to ban specific offenders by IP address. Now, we need to apply these chains to the INPUT chain.
iptables -I INPUT -j IPBAN
iptables -I INPUT -j BANNED
This will check the packets against the BANNED chain and then the IPBAN chain. If both check out, it will proceed with the other checks (if there are any) and if it passes that, then they will go on to their final destination.
Now we need to populate the chains with the proper rules. Here is the list of rules I created for the BANNED chain. These will block the top six website scanners.
iptables -A BANNED -m string --string "wantsfly" --algo bm -j DROP
iptables -A BANNED -m string --string "ZmEu" --algo bm -j DROP
iptables -A BANNED -m string --string "w00tw00t" --algo bm -j DROP
iptables -A BANNED -m string --string "Toata" --algo bm -j DROP
iptables -A BANNED -m string --string "proxyjudge" --algo bm -j DROP
iptables -A BANNED -m string --string "Morfeus" --algo bm -j DROP
The only option there that might not make much sense is “–algo bm”. This tells iptables which algorythm to use when scanning the packet for the given string. There are two different options for this, but “bm” will work just fine for our needs. The rest should make sense by looking at it.
The following is a list of specific offenders that I have gathered from my logs. These are offenders because of their actions of trying to find a web page that does not exist and should be known to not exist by anyone on our network.
iptables -A IPBAN -s 222.186.24.74 -j DROP
iptables -A IPBAN -s 61.128.121.138 -j DROP
iptables -A IPBAN -s 207.234.184.149 -j DROP
iptables -A IPBAN -s 210.127.253.99 -j DROP
iptables -A IPBAN -s 196.40.74.18 -j DROP
iptables -A IPBAN -s 174.142.38.185 -j DROP
iptables -A IPBAN -s 72.167.203.63 -j DROP
iptables -A IPBAN -s 202.194.15.192 -j DROP
iptables -A IPBAN -s 123.65.246.154 -j DROP
iptables -A IPBAN -s 173.203.240.14 -j DROP
iptables -A IPBAN -s 188.65.51.246 -j DROP
iptables -A IPBAN -s 206.223.157.244 -j DROP
iptables -A IPBAN -s 180.211.129.38 -j DROP
iptables -A IPBAN -s 83.242.145.34 -j DROP
iptables -A IPBAN -s 94.23.63.40 -j DROP
iptables -A IPBAN -s 218.38.12.0/24 -j DROP
iptables -A IPBAN -s 67.212.67.7 -j DROP
iptables -A IPBAN -s 123.182.6.214 -j DROP
iptables -A IPBAN -s 61.183.15.9 -j DROP
iptables -A IPBAN -s 221.192.199.35 -j DROP
iptables -A IPBAN -s 62.193.225.80 -j DROP
iptables -A IPBAN -s 221.1.220.185 -j DROP
With these chains and rules in place, I have yet to see any malicious activity on our servers since I put them in place two weeks ago. Of course, I will continue to monitor the logs to see if there are any other automatic scanners attacking our servers, but for the time being, things seem to be flowing smoothly.