Iptables, bastille, ISPConfig setup

I have a Fedora 10 server setup using the perfect setup, and have a few questions. (disabled Linux firewall/SELinux)

I have added a rule " Iptables -I INPUT -s 198.186.193.54 -j DROP " to block an undesirable bot/spider since mod_security "spams" my logs because it blocks it due to no header reply, browser version etc.

However, upon its return usually once a day, Iptables does not seem to "ghost" my server as mod_security still sees and returns the 403 error to the bot.

if it helps

running the command " ps -ef | grep iptables " returns root 8200 7827 0 09:51 pts/0 00:00:00 grep iptables

running the command " iptables -L INPUT " returns

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
[COLOR="Red"]DROP       all  --  ashburn.notadot.com  anywhere[/COLOR]
DROP       tcp  --  anywhere             loopback/8
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

It seems once I have restart the firewall through ISPConfig the command " iptables -L INPUT " returns

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       tcp  --  anywhere             loopback/8
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/4  anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
PUB_IN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

notice the line DROP all -- ashburn.notadot.com anywhere is removed loosing my iptables rules allowing notadot back in.

Thanks for the help in advance.

 

thanks, I will try that instead. This will return a server not found correct? Also I would have to add that line to the rc.local file so it stays after a reboot?

 

I don't remember the correct message, but yes, it's something like that.

Yes.

 

for some reason mod_security is still seeing this ip and its not getting the server not found.

Code:

[Sun Jan 25 00:17:29 2009] [error] [client 198.186.193.54] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "www.xxxxxx.com"] [uri "/"] [unique_id "SXv16X8AAAEAAAlrLuIAAAAG"]
[Sun Jan 25 00:17:29 2009] [error] [client 198.186.193.54] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "48"] [id "960009"] [msg "Request Missing a User Agent Header"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "www.xxxxxx.com"] [uri "/"] [unique_id "SXv16X8AAAEAAAlrLuIAAAAG"]

 

What's the output of

Code:

route -nee

?

 

Segmentation fault

 

Fedora 10 server setup using the perfect setup, physical server

 

Do you still see this after a reboot (without the route command in rc.local)?

 

same error with route command in rc.local

rc.local file:

Code:

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
/sbin/route add -host 198.186.193.54 reject

 

And without the route command in rc.local?

 

sorry missunderstood, after removing the line from rc.local, rebooting and running the command: route -nee

still have the Segmentation fault

after running the command from putty i ran it directly from the server here is more info:

Code:

route[2619]:segfault at b07f6678 ip 007d6dd7 sp bfae5808 error 6 in ld-2.9.so[7d4000+20000]

 

That's strange. Seems as if something's wrong with the installation. IF this is an empty system, I'd set it up from scratch again.

 

not really an option, i have reinstalled iproute, glibc, did a yum update and still same error.

Could this be a compatibility issue with the eth0 driver?

 

Segmentation faults can be caused by hardware errors, so that's possible. You can try to replace the NIC with another one.

 

Just so I understand this (which I think I do), Segmentation faults are the windows equivalent to the BSOD right?

 

Not really - the rest of the system is still working.