iptables anti-nimda/my project...From: Champ Clark III (firstname.lastname@example.org)
- Previous message: Hasnain Atique: "Re: iptables anti-nimda anyone?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Champ Clark III <email@example.com> Message-Id: <200109211651.LAA12427@bundy.vistech.net> Subject: iptables anti-nimda/my project... To: firstname.lastname@example.org Date: Fri, 21 Sep 101 11:51:55 -0500 (EST)
> > Hi everyone
> > I don't suppose one of our iptables gurus out there has an iptables rule
> > to filter out this damn nimda thing? I'm really annoyed about it
> > filling up my apache logz and would love to drop the packets 'ere they
> > get to the apache server . . .
> You may be able to deny it with the string matching patch from the patch-o-matic
> section in iptables 1.2.3:
> The string patch:
> Author: Emmanuel Roger <email@example.com>
> Status: Working
> This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to
> match a string in a whole packet.
> THIS PATCH REQUIRES AT LEAST KERNEL 2.4.9 !!!
> Be aware that the patch-o-matic is not always considered to be stable and bug-free.
> Read the iptables INSTALL file for information on how to apply the patches.
> Oh, and the string match? I guess "c+dir" will take care of most of it. Read the
> security focus analysis available at
> Hope this helps,
This bring up something I was about to start working on....
Now, maybe I won't bother... I've got several questions though.....
Does the patch cause a considerable amount of overhead (CPU
It this something that will eventually make it into the linux
kernel source tree?
My idea was to write a simple TCP redirect routine that looked
for these sorts of things (ie - "c+dir", etc). The redirect routine
would store known "exploitz" for NT servers in a file.... When the
TCP redirector is executed, it would load these into a array, and
parse incoming connection for these strings _before_ redirecting them
to the NT server.... This way, you could firewall the hell out of the
NT server (making port 80 only accessable by you LAN/Network), and
use your favorite *nix based system to protect/scan incoming connections.
A new IIS security problems comes out? No problem.....
add it to the exploit file, kill -1 the redirector, and you're
NT server is virtually "patched" until the admin can get to it.
With this string kernel patch, should I even bother with
this project now?
- Champ Clark
Vistech Communications, Inc