I want to thank everyone for all their suggestions. Everything has been of help
to me.
With this said, you'll notice that all requests result in a 302 because I
detect them first and redirect them so I have already captured their IP. So
what I decided to do for now is instead of redirecting, I am passing the IPs
off to netfilter to block them and then releasing those IPs from the filter
after some time. This is working OK for the time being and certainly better
than nothing.
Question: is there a way to block IP's using netfilter/shorewall with a
"time-to-live"? That would be an awesome feature if there is one. I was not
able to find anything on that at the site. Right now I'm storing the IPs in a
text file and then purging from the filter. If there was a ttl this would be
much easier.
Thanks again everyone,
John
From: [email protected]
To: [email protected]
Date: Tue, 24 Aug 2010 19:33:28 -0700
Subject: [Shorewall-users] Can Shorewall Help Me?
Hello,
I've been a Shorewall user and supporter for many years and it has been a great
tool. But recently our Web servers have been under attack and I can figure out
how to stop it. The problem is that the attacks are coming in on port 80 all
from different IPs. I'm talking thousands of requests per hour. I can't find
any information on how to stop this kind of attack. What I'm doing right now is
redirecting these from cgi to a page using mod rewrite, but this isn't stopping
all these requests from being initiated and it's killing our server. Any ideas
on what to do?
216.109.73.21 - - [24/Aug/2010:19:21:25 -0700] "GET
/cgi-bin/sitesearch.cgi?t=XXXdUwYrtYXXXdU HTTP/1.0" 302 298
"http://vanhanhphuc.com/"; "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9"
200.43.141.173 - - [24/Aug/2010:19:21:25 -0700] "GET
/cgi-bin/sitesearch.cgi?t=XXXdUwYrtYXXXdU HTTP/1.0" 302 298
"http://vanhanhphuc.com/"; "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9"
210.13.105.7 - - [24/Aug/2010:19:21:26 -0700] "GET
/cgi-bin/sitesearch.cgi?t=XXXdUwYrtYXXXdU HTTP/1.1" 302 298
"http://vanhanhphuc.com/"; "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9"
I have verified that there is nothing on the "http://vanhanhphuc.com/"; page
pointing to us (no frames, script or ?). What you will notice is that all these
requests have the same user-agent (millions of them exactly the same) which
leads me to believe this is a worm of some sort.
Is there anything Shorewall can do to help us? If not, any ideas of what we can
do?
Thanks in advance,
John
------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users
worldwide. Take advantage of special opportunities to increase revenue and
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users
worldwide. Take advantage of special opportunities to increase revenue and
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
