Using Iptables To Block Bot Scans
I get the occasional bot scan searching for PMA, etc.. Fairly routine and harmless if you don't use PhpMyAdmin. It takes up log space though and is unnecessary work for the server. Redirecting and telling Apache not to log the hit was an option, but I really wanted to stop the scan before it reached the web server.
The string-match module for iptables can do just that. Each hit in the log from a scan usually has some string in common, which can identity it to iptables to drop. For instance, each hit might have "ZmEu" in common, even if the originating IP changes.
Here's an example dropping any connection containing "setup.php":
iptables -t raw -A PREROUTING -m string --algo bm --string "/setup.php" -j DROP
(One line.)
This is what it looks like added to iptables with ZmEu, setup.php and a few others blocked.
*raw
:PREROUTING - [0:0]
-A PREROUTING -m string --algo bm --string "ZmEu" -j DROP
-A PREROUTING -m string --algo bm --string "/setup.php" -j DROP
-A PREROUTING -m string --algo bm --string "/phpmyadmin" -j DROP
-A PREROUTING -m string --algo bm --string "/pma" -j DROP
COMMIT
*filter
[....]
Should go above the "*filter" table.
The module works with the raw table and has an algorithm choice of bm or kmp. From light reading it looks like Boyer-Moore (bm) is faster.
It searches incoming and outgoing, so if you block "ZmEu" but want to print "ZmEu" on a page, you'd put an empty tag (i or b) anywhere between the characters to break the string, and it should display normally. The longer you can make the string to match, the less likely a legitimate visitor will get dropped for typing it in somewhere and submitting.
The string-match module could be useful for blocking other unwanted traffic and keeps resources free for the web server by allowing the firewall to do the work... Problem solved!