Last active
March 17, 2018 04:53
-
-
Save angela-d/a692d60a1d132b773305c4797238dbc6 to your computer and use it in GitHub Desktop.
CSF Post -- Filter Commonly hit URLs and Annoyances at the Firewall Level
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # block annoying http hits that litter your logs with CSF. | |
| # for use with an existing, operable install of CSF firewall; find it at: https://configserver.com/cp/csf.html | |
| # place this file in /etc/csf/ with the filename csfpost.sh; like so: /etc/csf/csfpost.sh | |
| # make it executable: chmod u+x csfpost.sh | |
| # after you add/modify your preferred rules, run: csf -r so the firewall restarts with these rules loaded. | |
| # don't block this if you use xmlrpc.php in WordPress | |
| /sbin/iptables -I INPUT -p tcp --dport 80 -m string --to 1000 --string "xmlrpc.php" --algo kmp -j DROP | |
| # if you have any URLs with "admin" in the url, expect them to be broken after this rule takes effect | |
| /sbin/iptables -I INPUT -p tcp --dport 80 -m string --to 1000 --string "admin" --algo kmp -j DROP | |
| # script kiddies looking for their own residual turds | |
| /sbin/iptables -I INPUT -p tcp --dport 80 -m string --to 1000 --string "testproxy" --algo kmp -j DROP | |
| /sbin/iptables -I INPUT -p tcp --dport 80 -m string --to 1000 --string "w00t" --algo kmp -j DROP | |
| # things to consider: | |
| # all of the above ports listen on port 80; hence --dport 80 which is fine in most cases, as script kiddies & bots usually don't target https/443, initially. | |
| # if you find they ARE, just adjust the existing line, or duplicate the affected rule, with --dport 443 to also close off https for the affected target. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment