Re: Apache vulnerability?

Hi,

This looks to me like tcp on dport 22 is allowed and there I would think
that the minimal change would be to insert a rule before this which says
"anything from offending_ip via tcp should be rejected".

I'm still trying to get comfortable with iptables and, even though there
is alot of stuff out there, I'm still working to get the necessary
critical mass of understanding so it all falls into place. This thread
looked like a good chance to see if I'm closer to understanding.
Yes, that's a good approach too. If you are editing the existing
iptables config script from /etc/sysconfig/iptables, then that's
exactly what you would do. Something like this should work:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j DROP -s
<offending_ip/range>
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

the "<offending_ip/range>" might be something like 1.2.3.0/24 to block
the entire 256 addresses on that network.

HTH,
Alex

Alex:

Thanks ... it does help to get a confirm that my understanding your
example is at least in the general right direction.

Just to check to make sure I got the last bit of info right ...

In your particular example of what appears to be China Telecom, are you
assuming that they are using the ip 1.2.3.0/24 and that translates to
1.2.3.[0-255]?

Yes, that's correct. Search for CIDR notation.

I have a LAN which assumes router connecting to outside world is
192.168.1.1 and my network is 192.168.2.* (wireless only engaged when
necessary for both 192.168.1.1 and one Linksys at 192.168.2.2). To me,
this means that I "only have one IP address on that host" per your
email. If I am correct, I don't need to worry about a generalized
192.168.2.0/24 rule on each machine to prevent something I don't know about.

Yes, that's correct, but I was really referring to the destination --
if you wanted to block more than one host at a time, such as for an
entire ISP in China, for example. So from my original log entry
example of 222.186.24.108, you might do:

# iptables -j DROP -I INPUT -s 222.186.24.0/24

This would block all access from that host to your network.

The addition of 25, 80, and 443 ports are your suggestions for what to
allow as opposed to manditories (everything is working nicely on my
system with the default and the only other port access I need to do is
in sendmail.mc).

I wasn't sure if that was from the original rulebase or if it was
something I added :-)

The default is to allow everything, but there is a ICMP reject rule at
the bottom of the rulebase that rejects everything else for which
there is no rule such as those for port 25 and 80.

Best,
Alex
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Relevant Pages

  • Re: trying to figure out network address usage
    ... understanding of the use of the network address (the one with all 0's ... in the host section of the address). ... How is it used to find or contact the network? ... Do you mean the subnet mask? ...
    (microsoft.public.windows.server.general)
  • trying to figure out network address usage
    ... As a relative newcomer to networking, I am trying to straighten out my ... understanding of the use of the network address (the one with all 0's ... in the host section of the address). ... How is it used to find or contact the network? ...
    (microsoft.public.windows.server.general)