Re: iptables anti-nimda anyone?

From: Evan Borgstrom (syntec@unixpimps.org)
Date: 09/21/01 

Date: Fri, 21 Sep 2001 09:17:56 -0400
From: Evan Borgstrom <syntec@unixpimps.org>
To: focus-linux@securityfocus.com
Subject: Re: iptables anti-nimda anyone?
Message-ID: <20010921091756.A20513@unixpimps.org>

Note: for this to work you need to have compiled IPtables with the string match
module.

$iptables=the path to iptables
$if1addr=the external interface address
$if1=the enternal interface

$iptables -A INPUT -p tcp -s 0/0 -d $if1addr -i $if1 --match string --string "root.exe" --dport 80 -j DROP
$iptables -A INPUT -p tcp -s 0/0 -d $if1addr -i $if1 --match string --string "cmd.exe" --dport 80 -j DROP
$iptables -A INPUT -p tcp -s 0/0 -d $if1addr -i $if1 --match string --string "default.ida" --dport 80 -j DROP

Then just pipe you apache logs to a little /bin/sh script that verifys that
there is actually content in the logs (otherwise you'll get a WHOLE bunch of
empty apache entries since the connection is already opened).
For instance an empty log would look like this:
IPAddress - - [21/Sep/2001:08:53:33 -0400] "-" 408 -

First add a directive like: TransferLog "|/usr/local/apache/bin/filterandlog"

And then make filterandlog do something like:
------------------------------------------
#!/bin/sh

# this will read line by line, discard empty entires and log the rest like cronolog
while read line; do
        content="`echo $line | awk -F'"' '{print $2}'`"
        if [ "$content" != "-" ]; then
                echo $line > /var/log/httpd/`date +%Y-%m-%d`
        fi
done
------------------------------------------

And the nice thing about this is that it will slow things down, since it drops
the packet and the client will be waiting for a response.

Evan

[Wed, Sep 19, 2001 at 04:26:30PM +0100]
Konrad Michels provided the following enlightenment:

> Hi everyone
> I don't suppose one of our iptables gurus out there has an iptables rule
> to filter out this damn nimda thing? I'm really annoyed about it
> filling up my apache logz and would love to drop the packets 'ere they
> get to the apache server . . .
>
> Later
> Konrad
>
> --
> ************************************************************
> * Linux isn't unfriendly - its just picky about who its
> * friends are!
> *
> ************************************************************
> * Konrad Michels (RHCE)
> * Systems Manager
> * OverNet Data (UK) LTD
> ************************************************************ 

-- 
Evan Borgstrom <syntec@unixpimps.org>
UNIXPIMPS.ORG - SIG:ILL

-<< PGP >>-------------------------------------------
Fp; A381 103B D115 C7FF A4B2 4F39 DB5E 0F26 9980 8EF9
PK; http://www.unixpimps.org/~syntec/pubkey.asc
-----------------------------------------------------

Relevant Pages

  • Re: When not to log
    ... >>> Why do you persist in saying they're scanning you? ... I got logs here over the ... mails root every tenth iptables 'hit' with a summary!. ... >> So if this hastle persists I think I'll just remove IPtables. ...
    (comp.os.linux.security)
  • Re: Layering portsentry and ipchains
    ... >> PortSentry well iptables notice a system scanning ports on your ... Appart from ssh, I allow only related/established. ... >> list of trusted sites, and you can always manually overide the block. ... rather than running off the logs would be preferable. ...
    (comp.os.linux.security)
  • Re: Alert!!
    ... den 16.09.2004 schrieb Dale Sykora um 3:34: ... > Your words or wisdom have helped me on numerous occasions. ... I simple want to watch the logs ... automatically block attacker hosts IP based with iptables: ...
    (Fedora)
  • Re: Mandrake Security Firewall (iptables + kernel 2.4 + DMZ + shorewall)
    ... > - the web interface is written in php so all the configuration is done ... > - logs for iptables, dhcp, squid, snort, prelude ...
    (comp.security.firewalls)
  • Re: Banning SSH attackers
    ... you would need to setup a log watch system that enabled an iptables rule ... > look at your logs have seen the same thing on your machines. ...
    (SSH)