0

I'm trying to block all autodiscover.xml requests to our server using iptables. The autodiscover file does not exist on our server, but because the website does not have a subdomain the requests are hitting our server. Here is what I've input so far but they aren't working. See the log following. Requests keep coming.

iptables -I INPUT -p tcp --dport 80 -m string --string "POST /autodiscover" --algo bm -j DROP
iptables -I INPUT -p tcp --dport 443 -m string --string "POST /autodiscover" --algo bm -j DROP

That results in this at the top of the INPUT chain:

DROP       tcp  --  anywhere             anywhere             tcp dpt:http STRING match  "POST /autodiscover" ALGO name bm TO 65535
DROP       tcp  --  anywhere             anywhere             tcp dpt:https STRING match  "POST /autodiscover" ALGO name bm TO 65535

However, I'm still getting the requests in the Apache log.

[09/Jan/2020:17:04:31 -0500] "POST /autodiscover/autodiscover.xml HTTP/1.1" 403 3668 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.6701; Pro)"
[09/Jan/2020:17:12:59 -0500] "POST /autodiscover/autodiscover.xml HTTP/1.1" 403 3668 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.6701; Pro)"
Jason
  • 25
  • 7

1 Answers1

0

iptables is the wrong tool for the job here. You're working on the assumption that what you would see at a TCP level is the same as what the browser sends, but this often not the case.

The biggest example would be HTTPS, and also HTTP/2... more generally you would also find that compression encoding would get in the way here too.

Another thing that will frustrate your attempts here, and potentially break other traffic, is connection keep-alives.

Since you are using Apache httpd, you should really do this within httpd. Here's one such example, which I use to prevent passing such requests to a backend (httpd is being used as a reverse proxy), and I instead redirect this to one of the Exchange servers:

ProxyPass        /autodiscover/autodiscover.xml !
Redirect 302     /autodiscover/autodiscover.xml https://autodiscover.example.org/autodiscoverer.xml

Other options would be to forbid the content. Here I've also shown how you can combine this if you don't want to forbid internal clients (although practically you may still need to support users from outside of your network).

RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^10\.
RewriteCond %{REQUEST_URI} ^/autodiscover
RewriteRule .* - [F]

Another example that just 404s the requests (again, in a reverse-proxy environment)

#
# Deal with some particularly noisy 404s that we don't want to throw back to the
# backend as they can take a long time to process.
#
ProxyPass        /autodiscover/autodiscover.xml !
RewriteRule      ^/autodiscover/autodiscover.xml$ - [R=404,L]
Cameron Kerr
  • 3,919
  • 18
  • 24