I really think you need to have a rethink about your use of IPTables. The
STRINGS rule should be used lightly and only in cases of emergency to patch
up a problem; and then it will give you time to think of the _real_ way to
patch your machine, either the application/server or through the proper use
of IPTables. STRING can put a lot of load on a computer as every single
packet is parsed for the string, this can cripple a computer and affect
legimate traffic.
You seem to be trying to cover for both windows and unix web servers, make up
your mind; a exploit that sends 'command.com' to a UNIX box is not going to
do much whilst a '/bin/bash' is not going to do much to the windoze box.
Now in the case of e-mail you have to be (sorry to say it) but stupid to
search for the file extensions as remember that if I was to send you an
e-mail saying 'and when you compile the source code to my new game you should
have a game.exe file to run' the e-mail will be dropped! Come on put some
thought into your rules.
Now if you tweak the mail server to actually drop _attachments_ with a
certain list of extensions then you will get much better performance and
fewer false positives as they are called in the trade. The load will be
moved to the mail server.
You can also tweak the web server to look at the url's before they are
processed and drop those you deem dubious, rather than some webpage you
might have on your site mentioning to "go to Start->Run->'cmd'".
With your rules as they are you will be unable to visit a website that says
'command.com' or '/bin/bash'. Forget looking at BASH scripts! If you get
the web server to do the processing then the load can be moved to the
webserver.
All of this can free up the gateway machine to run SNORT if you really are
paranoid....
Now go think about what you have done...<Mr_T>Darn foo!</Mr_T>
Regards
Alxe
In article <(E-Mail Removed)> , WsWi wrote:
> Dear all,
>
> I got a problem when try to add more iptables string rules ( > 32
> rules ) and it's says that iptables can load any longer, do i need to
> increase my threshold?? if yes.. where should i put it??
>
> here is my fw rules:-
>
> ####### WEB APPS (DENG.. I NEED MORE SIGNATURES!!!!)################
>
> iptables -A FORWARD -p tcp --dport 80 -m string --string "/bin/sh" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 80 -m string --string "command.com"
> -j REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 80 -m string --string "cmd.exe" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 80 -m string --string "cmd" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 80 -m string --string "cmdshell" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 80 -m string --string "Microsoft
> OLE DB" -j REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 80 -m string --string
> "xp_startmail" -j REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 80 -m string --string "xp_sendmail"
> -j REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 80 -m string --string
> "sp_makewebtask" -j REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 80 -m string --string "/bin/bash"
> -j REJECT --reject-with tcp-reset
>
> ######### EMAIL APPS (WAU WEEE JUNIOR JUICE :P) ####################
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".eml" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".exe" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".bat" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".com" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".pif" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".dll" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".js" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".url" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".ocx" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".adp" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".asd" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".bas" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".chm" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".jse" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".inf" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".vbs" -j
> REJECT --reject-with tcp-reset
> iptables -A FORWARD -p tcp --dport 25 -m string --string ".vb" -j
> REJECT --reject-with tcp-reset
|
Similar Threads
Linear Mode
