Community discussions

MikroTik App
 
halimzhz
newbie
Topic Author
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 11:42 am

Dear All,

Anyone know how can i block for any access as below using Layer 7? Below is what i get from Apache Log

xxx.xxx.xxx.xxxx - - [02/Jul/2021:02:11:57 +0800] "GET /qnap_firmware.xml?t=1625114063 HTTP/1.1" 403 496 "-" "curl/7.43.0"

So the number on t=1625114063 is always change

Please help. Thank you so much
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11986
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 12:08 pm

The file qnap_firmware.xml exist?

simply put qnap_firmware on layer7, but if you use httpS iS all uSeleSS
 
halimzhz
newbie
Topic Author
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 12:18 pm

Hi,

The qnap_firmware.xml is not exist, but the attacker keep flood the Apache, so i plan to block it. One more thing the attacker using GET

Thank you
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11986
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 12:32 pm

and about httpSS?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26351
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 12:35 pm

Just like Rextended is trying to say, if this attack is happening over HTTPS, then RouterOS Layer7 rule will not see any URL and you can't block it.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11986
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 12:40 pm

Why censore the attacker?

Probably you have some device infected now, or in the past (or someone using your Public IP), with QSnatch.
Your Public IP addres is now on "qlist" of some "Command & Control" Servers.

Simply put the IP of requester on blacklist: on /ip firewall raw add a rule to drop on prerouting all traffic from that source IP...
 
halimzhz
newbie
Topic Author
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 1:37 pm

Just like Rextended is trying to say, if this attack is happening over HTTPS, then RouterOS Layer7 rule will not see any URL and you can't block it.
Yes, its over the HTTPS because i got from Apache HTTPS log, normal log cant see that, its a thousand and random of IP attack
 
msatter
Forum Guru
Forum Guru
Posts: 2912
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 1:41 pm

Do you need to have port 443 (HTTPS) open for incoming (new and not returning) traffic?

If so then drop in RAW all traffic TCP/443 that has a SYNC (new connection) I will post later the line to that.
add action=drop chain=prerouting dst-address=111.222.333.444 dst-port=80,443 protocol=tcp tcp-flags=!fin,!rst,!psh,!ack,!urg,!ece,!cwr
Replace 111.222.333.444 with your external IP address and if you are not sure replace drop with passthrough and log to see if you are catching the attacker.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11986
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 1:56 pm

But in this way drop all traffic also for regular users...
 
halimzhz
newbie
Topic Author
Posts: 37
Joined: Fri Jun 09, 2017 2:38 am
Location: Malaysia
Contact:

Re: Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 2:09 pm

Hi,

What i was thinking now is to make a mod security rules with Fail2ban to detect and make phyton script to send the IP to the Mikrotik API to block, but that of course the hard way. I thought in the first place Mikrotik will detect as usual i made with 'Advanced - Content' filter, but its not because the content filter is only work for HTTP/SMTP
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11986
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 2:23 pm

Again, what is gain on illusory privacy, we lost on control...
 
msatter
Forum Guru
Forum Guru
Posts: 2912
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 4:18 pm

But in this way drop all traffic also for regular users...
Don't be that trigger happy rextended. Read the first sentence before you shoot.

Over and out.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11986
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Layer 7 Protocols for Apache Attack

Fri Jul 02, 2021 6:25 pm

The first sentence is a question

>>>Do you need to have port 443 (HTTPS) open for incoming (new and not returning) traffic?

and after that:

>>>If so then drop in RAW all traffic TCP/443 that has a SYNC (new connection) I will post later the line to that.

And translated on Italian or not is like you suggest to drop all traffic if you need that traffic....

better for not misunderstand:

"If you do not need to have port 443 (HTTPS) open for incoming (new and not returning) traffic then drop in RAW..." etc.

But I think no-one setup one https Apache just for leave it closed...

Who is online

Users browsing this forum: BlubWürfel, giguard and 22 guests