F*EX use case: anti-spam configuration

Most of all spams and phishing attacks nowadays are done by hacked web servers. fexsrv is a webserver, too, and therefore target of hacking attacks. Though they are all useless, because fexsrv is not hackable, they keep annoying.

fexsrv has support for the function $header_hook()
In default installations it is undefined, but you can use it, if you want.

For example, I have the following setup (on Linux):

A copy of the iptables programm with s-bit:

  fex@fex: ll /home/fex/bin/iptables
  -rwsr-sr-x root  root 47,480 2008-01-28 14:49:09 /home/fex/bin/iptables
so that the user fex can modify the local ip table firwalling.

And then in fex.ph I have:

  $iptables = '/home/fex/bin/iptables';
  
  $header_hook = sub {
    my ($connect,$header,$ip) = @_;
    local (*L,*P);
    local $_;
    
    if ($ip and $ip =~ /^([\w.:]+)$/) { $ip = $1 } else { return }
    
    return if $header =~ /^GET \/fop/;
    $header =~ s/[\r\n]+$//;
    
    my @dl = qw(
      ^CONNECT
      ^GET.*admin/main.php
      ^GET.*php[Mm]y[Aa]dmin
      ^GET.*sciencedirect
      ^GET.*php\?\w+=
      ^GET.*scripts/setup.php
      ^GET.*http://
      ^GET.*html%.*onmousedown
      ^GET.*\.\./\.\./
      ^GET.*\.\.\\\\\.\.\\\\
      ^GET.*STRMVER=
      ^GET./admin
      ^GET./mysql
      ^GET./web
      ^GET./plugins
      ^GET./awstats
      ^GET./search.php
      ^GET./\?feed=
      ^GET.http://www.baidu.com
      ^POST.*\.php
      ^User-Agent:.Toplistbot
      ^User-Agent:.MSIE
      ^User-Agent:.Toata
      ^User-Agent:.Sosospider
      ^User-Agent:.Hatena
      ^User-Agent:.*daum.net
      ^User-Agent:.*puritysearch
      ^User-Agent:.*Mp3Bot
      ^User-Agent:.*TencentTraveler
      ^User-Agent:.*Windows.98
      ^User-Agent:.Internet.Explorer.4
      ^User-Agent:.Mozilla/4.0$
      ^User-Agent:.facebook
      ^User-Agent:.*FunWebProducts
      ^Host:.\d+\.\d+\.\d+\.\d+
      ^Content-Type:.*boundary=xYzZY
      ^Referer:.*handbag
      ^Referer:.*replica
      ^Range:bytes=0-$
    );
    
    foreach my $dp (@dl) {
      if ($header =~ /$dp/) {
        if (open L,">>$spooldir/.block") {
          flock L,LOCK_EX;
        }
        if (open P,"$iptables -L BLOCK -n |") {
          while (<P>) {
            exit if /^REJECT.*\Q$ip/;
          }
          close P;
        }
        system "$iptables -A BLOCK -s $ip -j REJECT";
        fexlog($connect,@log,"IPBLOCK: $dp");
        if (open P,"| mailx -s 'FEX deathpattern $ip' $admin") {
          print P "$connect\n";
          print P "$header =~ $dp\n\n";
          close P;
        }
        exit;
      }
    }
  };
With this function every pseudo-hacker will be blocked after he requests one of the pattern of @dl (see above).

This results in:

  fex@fex: iptables -L BLOCK -n
  
  Chain BLOCK (1 references)
  target     prot opt source               destination         
  REJECT     all  --  208.80.195.121       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.54        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  62.116.166.16        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.40        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  201.27.7.221         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  222.66.119.2         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  220.163.86.250       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  200.93.147.154       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  210.218.5.234        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  218.7.221.230        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.47        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.68.92.235        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  128.175.8.63         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  200.31.81.25         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.41        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  132.216.67.28        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  64.202.107.25        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  218.244.250.167      0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  222.240.167.85       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.55        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.44        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  69.44.225.6          0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  193.230.3.209        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.43        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  190.196.23.170       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  72.1.95.144          0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  79.120.177.34        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  117.110.74.195       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  202.105.179.218      0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.33        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  58.214.19.162        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  193.45.254.190       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.113.196.16       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  91.142.209.134       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  67.202.31.6          0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  212.119.226.86       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  76.73.62.242         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.38        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  85.114.132.129       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  202.191.43.177       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  218.6.201.231        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  81.173.240.73        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  83.218.160.145       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.42        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  79.125.11.183        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  93.90.180.24         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  221.6.184.220        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  91.199.207.60        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.48        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  82.42.6.203          0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  198.189.53.81        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  91.93.106.30         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  212.27.200.85        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.27        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  202.108.108.244      0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  87.126.176.201       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  201.148.0.41         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  66.244.236.248       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  217.148.84.181       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  66.90.104.20         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  217.196.43.134       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  123.120.19.183       0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  218.5.241.6          0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  221.11.5.252         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  74.62.155.43         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  61.252.26.98         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  211.95.78.112        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  85.17.237.1          0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  80.175.156.66        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  208.80.195.39        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  61.156.31.50         0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  62.116.137.99        0.0.0.0/0           reject-with icmp-port-unreachable 
  REJECT     all  --  61.167.243.67        0.0.0.0/0           reject-with icmp-port-unreachable 


framstag@rus.uni-stuttgart.de