what's wrong with the following? (Besides the half-arsed queueing.)
This is a home router/firewall/NAT machine running OpenBSD. It works fine, but I'm getting periodic log entries about it blocking attempts to connect to TCP port 80 on various sites. And it's legitimate sites that show up in the logs when someone visits them. More confusingly than anything, though, everything works fine despite the log entries.
The logs cite rule 19, which, per pftop, is the following:
19 Block In Log Q dc0 tcp 352 28482 0 return-rst inet all
Where have I gone wrong, and what, exactly, is getting blocked? Again, it's legitimate sites that end users are actually connecting to, not some nefarious thing we've never heard of.
#
int_if = "rl0"
ext_if = "dc0"
# Define a list of IPs that shouldn't ever make it in/out!
nonroute = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 255.255.255.255/32 }"
# Do NAT
nat on $ext_if from 192.168.1.0/24 to any -> $ext_if
# Skip loopback
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any
# No sense in filtering internal LAN, either
pass out quick on $int_if from any to any
pass in quick on $int_if from any to any
# Block some major crap...
block in log quick on $ext_if inet proto icmp from any to any icmp-type redir
block in quick on $ext_if from $nonroute to any
block out quick on $ext_if from $nonroute to any
## FILTER
# Restrict what ICMP traffic we allow
pass in quick on $ext_if inet proto icmp from any to any icmp-type {
echorep, echoreq, timex, unreach }
block in log quick on $ext_if inet proto icmp from any to any
## TCP
pass in quick on $ext_if inet proto tcp from any to any
flags S/SA keep state
# Let UDP and ICMP out
pass out quick on $ext_if inet proto udp all keep state
pass out quick on $ext_if inet proto icmp from any to any keep state
# Pass out!
pass out quick on $ext_if inet proto tcp from any to any port ssh queue (ssh)
pass out quick on $ext_if inet proto tcp from any to any
flags S/SA keep state queue (ack)
pass out quick on $ext_if inet proto udp all keep state
pass out quick on $ext_if inet proto icmp from any to any keep state
# Now, we block everything else
block return-rst in log quick on $ext_if inet proto tcp from any to any
block return-icmp in log quick on $ext_if inet proto udp from any to any
block in quick on $ext_if all
We installed csf firewall in main node and we have following error when try to start firewall, how can resolve this issue?
[root@m5088 csf]# csf -s Error: The VPS iptables rule limit (numiptent) is too low (400/400) - stopping firewall to prevent iptables blocking all connections, at line 123
Would anyone be kind enough to give me some pointers to route packets from a specific ip on my subnet via the tun0 OpenVPN interface, and all other hosts out the default route of the main routing table (192.168.1.1 on br0)?
i.e. 192.168.1.2-9 -> via br0, and 192.168.1.200 -> via tun0
I have created the tables:
mkdir /etc/iproute2 echo 201 table1 >> /etc/iproute2/rt_tables ip rule add from 192.168.1.200/32 table table1
But i am really stuck from here. I tried adding default routes in the table1 but all traffic stops at this point (i am pinging from the host 192.168.1.200 out onto the net, it works as soon as this command below is entered it times out):
ip route add 10.19.0.5 dev tun0 scope link src 10.19.0.6 table table1 (not sure if this is needed - either way doesnt work with or without) ip route add default via 10.19.0.5 dev tun0 table table1
I did try: ip route add default dev tun0 table table1. and again that fails to work. I appreciate this isnt a guessing game hence moving to post here in hope of some expert advice.
Routing table for the main table (table 1 contains the entries from above commands):
root@OpenWrt:~# ip route list table table1 default via 10.19.0.5 dev tun0
root@OpenWrt:~# ip route list table main 10.20.30.40 via 192.168.1.1 dev br0 10.19.0.1 via 10.19.0.5 dev tun0 10.19.0.5 dev tun0 proto kernel scope link src 10.19.0.6 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.4 default via 192.168.1.1 dev br0
There is a point to point link to the OpenVPN server on 10.19.0.5 with a local address of 10.19.0.6, but im not sure if this needs to be added in the table1? I did try by adding ip route add 10.19.0.5 dev tun0 scope link src 10.19.0.6 table table1, but again still the same issue.
With OpenVPN setup to push the redirect-gateway option, all works well with the routing table and the box acts as a router sending everything through it (table shown below - this works fine apart from everyone is routed through it). As mentioned, I would like the tables default route below to only apply to the host 192.168.1.200. I am posting the table below as this does work for all hosts:
root@OpenWrt:~# ip route list table main 10.20.30.40 via 192.168.1.1 dev br0 10.19.0.1 via 10.19.0.5 dev tun0 10.19.0.5 dev tun0 proto kernel scope link src 10.19.0.6 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.4 default via 10.19.0.5 dev tun0
I am masquerading on tun0 as i will be routing a number of hosts through the router:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
I also run 'ip route flush cache' after i enter the routing commands but to no avail.
how can i block this user agent through mod_rewrite "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" and is this agent will affect all the IE 6 users ? and whats is the difference between the one above and this one : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)?
I have a number of WordPress, Drupal, Wiki sites running under RHEL6.
Apache version:httpd -v Server version: Apache/2.2.15 (Unix) Server built: Aug 2 2013 08:02:18
We are subject to internal scans by Appscan and Tenable. It is a security requirement so I cannot just block them.
The scanners, of course, attempt to recurse the directory structure and find vulnerable files such as boot.ini, winnt.com and such.
This drives the php content management systems nuts. Request comes in and is handled by php. PHP checks the cache for that name and does not find it. PHP generates a MySQL query and sends it. MySQL tries and fails to satisfy the query. MySQL returns result to php. PHP Writes a cached of the result and presents it to the web.
In other words, a whole lot of processor/memory.
The security scans typically look like......
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET /../../../../../../../../../../../../etc/passwd HTTP/1.1 [Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ../../../../../../../../../../../../etc/passwd HTTP/1.1 [Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET //../../../../../../../../../../../../etc/passwd HTTP/1.1 [Thu Aug 29 00:32:26 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ....................windowswin.ini HTTP/1.1 [Thu Aug 29 00:32:26 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ....................winntwin.ini HTTP/1.1
I have been able to improve performance, speed and security by mod_rewrite
RewriteRule .*.(dll|ini|exe|com)$ - [R=404,NC]
Now (Finally) the question.
I have not been able to create a rule for the directory recursion.
I want to R=404 any that has a "../.." or "...." or ...." but I can not get it to recognize the string correctly.
I believe that this would improve speed and security.
I am new to wordpress; I want a url rewrite rule for my htaccess. I want when a user visits www.domain.com/services/manu/ the url on the address bar should be www.domain.com/services/. I don't want a permanent redirect.
I'm trying to change url structure so instead of /default/category/product.html it would show /category/product.html
With this line I've managed to do it on my personal blog
RedirectMatch 301 /default/(.*) //$1
But when I've implemented it on a customers Magento site it started showing double slashes like this //category/product.html and the whole template just collapsed .
I am currently trying to limit incoming UDP length 20 packets on a per IP basis to 5 a second using IPTables on a Linux machine (CentOS 5.2).
Basically, if an IP is sending more than 5 length 20 UDP packet a second to the local machine, I would like the machine to drop the excess length 20 packets coming from that IP.
The modules that should work perfectly for this type of "rule set" are;
- Limiting module - Length module
Both of which are installed / compiled with the kernel/IPTables correctly and functioning.
I have tried several rule sets, and they all seem to not fully work. Either they drop all UDP length 20 packets going to the local machine or allow all them through.
Below is one of the rule sets I use, and it is not working. Any ideas what the issue could be?
iptables -N UDPC1 iptables -A INPUT -p udp -m length --length 20 -j UDPC1 iptables -A UDPC1 -p udp -m length --length 20 -m limit --limit 5/second -j ACCEPT iptables -A UDPC1 -j DROP
I installed mod_security and the 403security rules on my VPS (Centos 4.1, Release version of WHM).
Several vBulletin files, including the ajax quick editor and some vbulletin.org add-ons are triggering this rule and banning members' IPs in CSF:
# Restrict witch content encodings we accept. # # TODO Most applications support only two encodings for request bodies # because that is all browsers know how to produce. If you are using # automated tools to talk to the application you may be using other # content types and would want to change the list of supported encodings. # # Note though that ModSecurity parses only three content encodings: # application/x-www-form-urlencoded, multipart/form-data request and # text/xml. The protection provided for any other type of encoding is # inferior. # # TODO There are many applications that are not using multipart/form-data # encoding (typically only used for file uploads). This content type # can be disabled if not used. # # NOTE We allow any content type to be specified with GET or HEAD # because some tools incorrectly supply content type information # even when the body is not present. There is a rule further in # the file to prevent GET and HEAD requests to have bodies to we're # safe in that respect. # # NOTE Use of WebDAV requires "text/xml" content type. # # NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports # applications running on the PocketPC and AvantGo platforms use # non-standard content types: # # M-Business iAnywhere application/x-mal-client-data # UltraLite iAnywhere application/octet-stream # SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" "chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content encoding is not allowed by policy',id:'960010',severity:'4'" SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" I don't know how to decipher this rule to know if just removing it is ok, or if it is serving an important purpose. During a couple hour period it was enabled, that rule only seemed to trigger false alarms.
The above was triggered with calls such as [uri "/forums/ajax.php?do=usersearch"] and [uri "/forums/newreply.php?do=postreply&t=11057"]
What I really don't understand is that I have an .htaccess in place to turn off mod_security for the /forums directory:
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> I have also had this rule triggered today when someone tried to access : ...
It should be a straight forward change. [URL] .... does not redirect to [URL]...... It simply tries to load /denver-cars/ and denver-cars is in the URL. Am I missing something here? I have tried moving it up and down the list of rules and have tried numerous types of flags to no avail. Everything else in the htacess works fine with out the line:
Options +FollowSymlinks RewriteEngine on RewriteBase / # Force www # Redirect google index dir's to new dir RewriteRule ^/(.*)-cars/ /newcars-in-$1/ [NC,R=301,L]
I am new to apache, and really terrible with regular expressions.
How to craft an htaccess rule that looks a the URL of the page you are visiting, and redirects HTTPS to the same URL in HTTP if the URL contains a certain text string (in the case the word "products")...
Error when trying to set atomic subscription rule:
Failed to install the ModSecurity rule set: SecReadStateLimit is depricated, use SecConnReadStateLimit instead. Syntax error on line 70 of /etc/httpd/conf/modsecurity.d/rules/atomic/modsec/00_asl_zz_strict.conf: Error creating rule: Could not add entry "127.0.0.0/8" from: 127.0.0.0/8.
In directory /etc/httpd/conf/modsecurity.d/rules I have only: atomic.new modsecurity_crs-plesk tortix tortix.backup
This is the mod_rewrite rule I'm trying to create. I am very new to Apache admin. Here's the issue:
I have 3 vhosts running on my HTTPD Apache 2.2.24 server: Server1, Server2, Server3. Each vhost is connected to a Weblogic application server. We are trying to prevent access to the Example.portal page on each application server.