[CentOS] Centos VPS Kernel 2.6.35.4 & 'string-less' IP tables

Wed Aug 31 14:22:31 UTC 2011
Always Learning <centos at u61.u22.net>

Hi Mike,

> Perhaps the most important point here is that the script kiddies and/or 
> bots usually make sure the target string, 'login' in your example is *not* 
> contained within a single packet.  You can verify this with wireshark.  In 
> any case just be aware that your solution will likely not have the desired 
> effect.
> 
> This a decent read: http://spamcleaner.org/en/misc/w00tw00t.html
> Specifically the Conclusion section near the bottom.

I'm definitely going to try '-m string' providing the service provider
can fix the problem.

I am not, as the article suggested, going to filter on a "28-byte
string".  If I was going to trap the http error 400 event
'w00tw00t.at.ISC.SANS', I would filter on port 80 for 'w00t' or '.at' or
'ISC' or 'SAN' because no web page name contains those strings. Having
control over web pages names brings some benefits :-)

In the current 4,000 to 6,000 daily hits, the lunatic uses

	login.php
	contact.php
	forgotten_password.php

so I will filter port 80 traffic for that web site, now on its own IP,
for

	log
	con
	pas

because no web page name contains any of those 3 byte strings. The
second defence is its own IP Table with 110 IP addresses. The lunatic
has not added any new ones in the last 24 hours.

The longest packet recently rejected was 496 bytes (from another hacker)
and the current lunatic's packets are 60 bytes. Optimistically I have a
reasonable prospect of trapping the above 3 byte strings.

Thank you.

Paul.