DirectAdmin Knowledge Base and Support

DirectAdmin is a web panel for a simple administration of both virtual and dedicated servers. DirectAdmin is faster, safe and more powerful than any other CP. And we know how to customize and support it.

Protecting IP from hijacking from inside

| 15:13:36 15.08.2012

If you sell additional IPs to your users, so they could connect to remote servers from your hosting server using their dedicated IP as a source IP, you might want (or even need) to protect it from hijacking by other customers of yours. So nobody else could use it.


How to change source IP in a PHP script using cURL: 

Use CURLOPT_INTERFACE with the name of the outgoing network interface to use. This can be an interface name, an IP address or a host name.

curl_setopt($ch, CURLOPT_INTERFACE, $ip);

http://www.php.net/manual/en/function.curl-setopt.php


How to change source IP in a PHP script using Socket Functions:

Use socket_bind which binds a name to a socket

// Bind the source address
socket_bind($sock, $sourceips['madcoder']);

http://www.php.net/manual/en/function.socket-bind.php


Let's protect it with IPTABLES:

You'll need ipt_owner loaded into your kernel

modprobe ipt_owner

And here is a small script to use on a Directadmin powered server, which would allow to simplify writing iptables rules:

#!/bin/sh
# =========================================================
# by PLUGINS-DA.NET $ Wed Aug 15 14:54:27 NOVT 2012
# =========================================================

DIR_IPS="/usr/local/directadmin/data/admin/ips";
IPTABLES_PROGRAMM=`which iptables`;
IPTABLES_TARGET="OUTPUT-TO-HTTP";
DEFAULT_USER="root";

echo "# :OUTPUT-TO-HTTP - [0:0]"
echo "$IPTABLES_PROGRAMM -N $IPTABLES_TARGET";
echo "$IPTABLES_PROGRAMM -A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443 -j $IPTABLES_TARGET";

for IP in `ls -1 $DIR_IPS | grep -v 127\.0`;
do
    IP_FILE=$DIR_IPS/$IP;
    STATUS=`grep ^status= $IP_FILE | cut -d\= -f2`;
    VALUE=`grep ^value= $IP_FILE | cut -d\= -f2`;
    echo "# $IP status $STATUS value $VALUE";
    if [ "$STATUS" == "shared" ];
    then
        echo "$IPTABLES_PROGRAMM -A $IPTABLES_TARGET -s $IP -j ACCEPT";
    elif [ "$STATUS" == "server" ];
    then
        echo "$IPTABLES_PROGRAMM -A $IPTABLES_TARGET -s $IP -j ACCEPT";
    elif [ "$STATUS" == "owned" ];
    then
        echo "$IPTABLES_PROGRAMM -A $IPTABLES_TARGET -s $IP -m owner --uid-owner $VALUE -j ACCEPT";
    else
        echo "$IPTABLES_PROGRAMM -A $IPTABLES_TARGET -s $IP -m owner --uid-owner $DEFAULT_USER -j ACCEPT";
    fi;
done;

echo "# Deny and log others";
echo "$IPTABLES_PROGRAMM -A $IPTABLES_TARGET -j LOG --log-tcp-options --log-ip-options --log-uid --log-prefix \"OUTPUT IP HIJACK TO HTTP: \"";
echo "$IPTABLES_PROGRAMM -A $IPTABLES_TARGET -j REJECT --reject-with icmp-host-prohibited";

exit;

As a result of running this script you should see the following iptables rules:

/sbin/iptables -A OUTPUT ! -o lo -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443 -j OUTPUT-TO-HTTP
# 217.bb.cc.124 status server value 2
/sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.124 -j ACCEPT
# 217.bb.cc.27 status shared value 133
/sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.27 -j ACCEPT
# 217.bb.cc.28 status owned value userbob
/sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.28 -m owner --uid-owner userbob -j ACCEPT
# 217.bb.cc.29 status owned value userjohn
/sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.29 -m owner --uid-owner userjohn -j ACCEPT
# 217.bb.cc.30 status shared value 44
/sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.30 -j ACCEPT
# 217.bb.cc.27 status free value
/sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.31 -m owner --uid-owner root -j ACCEPT
# 217.bb.cc.28 status free value
/sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.32 -m owner --uid-owner root -j ACCEPT
# 217.bb.cc.29 status free value
/sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.33 -m owner --uid-owner root -j ACCEPT
# 217.bb.cc.30 status free value
/sbin/iptables -A OUTPUT-TO-HTTP -s 217.bb.cc.34 -m owner --uid-owner root -j ACCEPT
# Deny and log others
/sbin/iptables -A OUTPUT-TO-HTTP -j LOG --log-tcp-options --log-ip-options --log-uid --log-prefix "OUTPUT IP HIJACK TO HTTP: "
/sbin/iptables -A OUTPUT-TO-HTTP -j REJECT --reject-with icmp-host-prohibited

So copy the output into iptables script and you're ready to go.

Tags: Information script directadmin How-To iptables cURL socket_bind 
←  Linux Malware Detect on Directadmin Powered server  | Start |  session.save_path is not set, or how to store sessions securely with directadmin  →
About Us
We are a team of professionals, and specialize in installation, configuring and managing of remote virtual and dedicated servers powered by Linux/Unix-like OS with DirectAdmin. We support various sets of software, including web-servers Apache, Nginx; internet domain name servers Bind, PowerDNS; mail-servers with POP3, IMAP and SMTP, FTP-servers, etc. After years of working through the most complex server challenges our team has gathered valuable experience and universal solutions suitable for everyday tasks. We are here to lend you a helping hand and take care of your servers in order to let you have enough time to do more of what you love.




SEE HOW WE CAN HELP!
All of the information and data on this site is for informational purposes only and is provided for the convenience of the user.
Powered by: Amiro.CMS - Free edition