iptables blocking by string

Forum Moderators: coopster

Message Too Old, No Replies

iptables blocking by string

dstiles

10:24 am on Apr 21, 2022 (gmt 0)

I am plagued by random IPs asking for "license.txt". This is addition to the plague of "wp-" hits.

To reject the license ones I have used the command...

iptables -I INPUT -m string --algo bm --string 'license.txt' -j DROP

to add to iptables the string...

-A INPUT -m string --string "license.txt" --algo bm --to 65535 -j DROP

This seems to have failed in its intent: "license.txt" is still coming through.

Iptables did not complain about it and online documentation suggests it is correct. Presumably I have missed something. Any help, please?

not2easy

12:37 pm on Apr 21, 2022 (gmt 0)

I know nothing about the proper syntax for this, but noticed that the command line is using single quotes:

'license.txt'

and the string line is using double quotes:

"license.txt"

in case that makes a difference.

dstiles

2:03 pm on Apr 21, 2022 (gmt 0)

Yes, I'd noticed that. I assume iptables changed them. I got the subkission syntax from a mix of forums; documentation in general, apart from official, is scarce.

robzilla

9:40 pm on Apr 21, 2022 (gmt 0)

Assuming the connection is made using HTTPS, wouldn't the payload (headers and request/response data) be encrypted?

What information does HTTPS protect? [https.cio.gov]

You could look at something like Fail2Ban, but it can only block an IP after it's requested license.txt (and received a response and the exchange was logged), so that won't stop the "attack" if the IPs are essentially random.

Sgt_Kickaxe

7:08 am on Apr 22, 2022 (gmt 0)

Perhaps a simpler solution - delete license.txt and allow a 404.

dstiles

9:00 am on Apr 22, 2022 (gmt 0)

robzilla: Yes, I wondered about encrypting. That would make sense, and since that is random the "string" is pointless. Damn.

Sgt_Kickaxe: That's the point: I do not have any license.txt files. As far as I can see, it's an invitation to hackers to discover what software I'm using and then attack it. Apart from that, I have no licenses anyway. Oh, and it's getting a 403, not a 404. And I'm attempting to write the IPs to iptables anyway (some come in multiples) but that's not working either. See [webmasterworld.com...]