1

I am managing a small shared hosting server. Today I received a complaint from my hosting provider that my server is sending out requests on wp-login.php pages of other websites elsewhere. I implemented the firewall rule 

/sbin/iptables -I OUTPUT -p tcp --dport 80 -m string --string "wp-login.php" --algo kmp -j REJECT --reject-with tcp-reset

I tested and see from my server I can't send a request to http://testsite.com/wp-login.php. This is great, and it works as expected.

However, I still received further complaint about this issue, so I guess a bad user is using HTTPS to attack wp-login.php of the target websites. I implemented the following rule, but it does not work

/sbin/iptables -I OUTPUT -p tcp --dport 443 -m string --string "wp-login.php" --algo kmp -j REJECT --reject-with tcp-reset

I understand, because over HTTPS URL is encrypted, so this method does not work.

I'd like to ask how should I go around with this issue to prevent/block/identify the culprit?

Thanks in advance!

John
  • 15
  • 3
  • 1
    If your server is sending these requests out, and this isn't something you configured yourself, you should assume that there is malware running on the server. You should fix the cause, not the symptoms. – Gerald Schneider Mar 13 '19 at 07:00
  • It is not a duplicate, my server is running and it is likely a bad user intentionally perform GET/POST requests through his PHP script to wp-login.php page to other people website. My job is to prevent this activity or identify the user to punish him. If he send request through HTTP, my firewall will block it. But if he send request through HTTPS, my firewall cannot block it because traffic is encrypted over HTTPS – John Mar 13 '19 at 07:05
  • Trying to block such requests is a losing game. Don't even start it. if you block one kind of request he is just going to use another. Identify the user, tell him to stop, if he doesn't lock him out. And yes, as long as this user is active you should consider your server compromised. – Gerald Schneider Mar 13 '19 at 07:07
  • This is a very small shared hosting server. I know there are many shared hosting providers out there, wonder how they go around with this issue. At least there is some way to identify the user, or block that string pattern completely. – John Mar 13 '19 at 07:13

1 Answers1

1

Drop OUTPUT for web users

iptables -A OUTPUT -m owner --gid-owner web-users -j DROP

Install transparent local proxy. Block traffic there.

FAEWZX
  • 264
  • 1
  • 1
  • 1
    Additionally: Log the dropped packages, and you even get the userid that sent the package. See this [this answer on logging and dropping](https://stackoverflow.com/a/21893932/212107). – Gerald Schneider Mar 13 '19 at 07:47
  • Thank you for your answer, I understand that this will completely block outgoing of web users, including those valid requests (e.g. their sites connect to external API), but for the time being I will have to implement this to stop the abusive activity. Thank @Gerald for your great hint also. – John Mar 13 '19 at 08:07