I manage several Colo and dedicated servers at various data centers around the world, something we often do is physically place a mikrotik router inside of our Colo d server chassis and power it via a Molex and then connect the servers ethernet to the mikrotik and then the uplink from the data center also through the mikrotik (by the way this is an excellent use of mikrotik router's for various reasons/uses such as: VPN only server management , firewall , IP-based access control and bandwith shaping etc.)
All of the clients on the servers are simply hosting websites either on port 80 or 443 if SSL. An issue we often come across is a clients website will become infected and essentially be used as a proxy or as a machine to launch attacks on other websites such as brute forcing or site / port scanning.
I was thinking that a good way to combat this might be the following, and was looking for input from others (perhaps this idea is already very common or perhaps it's entirely wrong):
The concept is the server is only allowed (based on IP address) to connect to an IP if that IP address first initiates a connection to the server. The idea is A legitimate website visitor will first access the server then their IP address is added to an address list with say a 12 hour time out , and then *only* IP addresses on the address lists are allowed to be connected to from the server - and all other traffic / outbound connections are dropped
Again the idea is to keep the server from connecting to an IP address that has *not* first attempted to connect to the server
(obviously for legitimate out puns connections such as software updates or software installations , those ip addresses will have to be manually added to the address list / white listed or these firewall rules temporarily disabled).
Any input or feedback on this concept? Or is it all perhaps already a very common technique? Or is my logic incorrect?
I'm in the process of setting this up on one server and will post the actual firewall rules once it's functional so that others may see in use this technique on their mikrotik setups.
Thanks
EDIT:
I should also add that this rule / the MT firewall is not the only firewall im running, on the actual servers i run iptables (linux firewall) to handle IP list based access for management ports (since the servers have public IPs).