iptables string match to drop malicious urls
==================================
Usually modsecurity rules can help filter many malicious url attack patterns combined with apache on apache port (http|https). But what if a malicious attack using a vulnerable url pattern, that exposes or tries to break into your system is coming onto another port?
This is where iptables string match comes in handy.
/usr/local/sbin/iptables -I INPUT -p tcp -s 0.0.0.0/0 -m string –string “download?file=%2e%2e” –algo bm -j DROP
[root@server ~]# iptables -L -v | grep STR
73 49908 DROP tcp – any any anywhere anywhere STRING match “download?file=%2e%2e” ALGO name bm TO 65535
[root@server ~]#
The above iptable rule will block any url that has the string “download?file=%2e%2e” on any port on your server.
Note: your iptables binary path may be /sbin/iptables
Say http://yourserverIP:9132/blah/download?file=%2e%2e