Dear All,
Anyone know how can i block for any access as below using Layer 7? Below is what i get from Apache Log
xxx.xxx.xxx.xxxx - - [02/Jul/2021:02:11:57 +0800] “GET /qnap_firmware.xml?t=1625114063 HTTP/1.1” 403 496 “-” “curl/7.43.0”
So the number on t=1625114063 is always change
Please help. Thank you so much
The file qnap_firmware.xml exist?
simply put qnap_firmware on layer7, but if you use httpS iS all uSeleSS
Hi,
The qnap_firmware.xml is not exist, but the attacker keep flood the Apache, so i plan to block it. One more thing the attacker using GET
Thank you
and about httpSS?
Just like Rextended is trying to say, if this attack is happening over HTTPS, then RouterOS Layer7 rule will not see any URL and you can’t block it.
Why censore the attacker?
Probably you have some device infected now, or in the past (or someone using your Public IP), with QSnatch.
Your Public IP addres is now on “qlist” of some “Command & Control” Servers.
Simply put the IP of requester on blacklist: on /ip firewall raw add a rule to drop on prerouting all traffic from that source IP…
Yes, its over the HTTPS because i got from Apache HTTPS log, normal log cant see that, its a thousand and random of IP attack
Do you need to have port 443 (HTTPS) open for incoming (new and not returning) traffic?
If so then drop in RAW all traffic TCP/443 that has a SYNC (new connection) I will post later the line to that.
add action=drop chain=prerouting dst-address=111.222.333.444 dst-port=80,443 protocol=tcp tcp-flags=!fin,!rst,!psh,!ack,!urg,!ece,!cwr
Replace 111.222.333.444 with your external IP address and if you are not sure replace drop with passthrough and log to see if you are catching the attacker.
But in this way drop all traffic also for regular users…
Hi,
What i was thinking now is to make a mod security rules with Fail2ban to detect and make phyton script to send the IP to the Mikrotik API to block, but that of course the hard way. I thought in the first place Mikrotik will detect as usual i made with ‘Advanced - Content’ filter, but its not because the content filter is only work for HTTP/SMTP
Again, what is gain on illusory privacy, we lost on control…
Don't be that trigger happy rextended. Read the first sentence before you shoot.
Over and out.
The first sentence is a question
Do you need to have port 443 (HTTPS) open for incoming (new and not returning) traffic?
and after that:
If so then drop in RAW all traffic TCP/443 that has a SYNC (new connection) I will post later the line to that.
And translated on Italian or not is like you suggest to drop all traffic if you need that traffic…
better for not misunderstand:
“If you do not need to have port 443 (HTTPS) open for incoming (new and not returning) traffic then drop in RAW…” etc.
But I think no-one setup one https Apache just for leave it closed…