Skip to main content

How to drop outgoing traffic based on matching string over HTTPS [Resolved]

I am managing a small shared hosting server. Today I received a complaint from my hosting provider that my server is sending out requests on wp-login.php pages of other websites elsewhere. I implemented the firewall rule

/sbin/iptables -I OUTPUT -p tcp --dport 80 -m string --string "wp-login.php" --algo kmp -j REJECT --reject-with tcp-reset

I tested and see from my server I can't send a request to http://testsite.com/wp-login.php. This is great, and it works as expected.

However, I still received further complaint about this issue, so I guess a bad user is using HTTPS to attack wp-login.php of the target websites. I implemented the following rule, but it does not work

/sbin/iptables -I OUTPUT -p tcp --dport 443 -m string --string "wp-login.php" --algo kmp -j REJECT --reject-with tcp-reset

I understand, because over HTTPS URL is encrypted, so this method does not work.

I'd like to ask how should I go around with this issue to prevent/block/identify the culprit?

Thanks in advance!


Question Credit: John
Question Reference
Asked March 15, 2019
Posted Under: Network
11 views
1 Answers

Drop OUTPUT for web users

iptables -A OUTPUT -m owner --gid-owner web-users -j DROP

Install transparent local proxy. Block traffic there.


credit: FAEWZX
Answered March 15, 2019
Your Answer