iptables string match to drop malicious urls

iptables string match to drop malicious urls

==================================

Usually modsecurity rules can help filter many malicious url attack patterns combined with apache on apache port (http|https).  But what if a malicious attack using a vulnerable url pattern, that exposes or tries to break into your system is coming onto another port?

This is where iptables string match comes in handy.

/usr/local/sbin/iptables -I INPUT -p tcp -s 0.0.0.0/0 -m stringstring “download?file=%2e%2e” –algo bm -j DROP

[root@server ~]# iptables -L -v | grep STR
73 49908 DROP       tcp  –  any    any     anywhere             anywhere            STRING match “download?file=%2e%2e” ALGO name bm TO 65535

[root@server ~]#

The above iptable rule will block any url  that has the string “download?file=%2e%2e” on any port on your server.

Note: your iptables binary path may be /sbin/iptables

Say http://yourserverIP:9132/blah/download?file=%2e%2e

Leave a Reply

Your email address will not be published. Required fields are marked *