iptables anti-nimda/my project...

From: Champ Clark III (champ@vistech.net)
Date: 09/23/01


From: Champ Clark III <champ@vistech.net>
Message-Id: <200109211651.LAA12427@bundy.vistech.net>
Subject: iptables anti-nimda/my project... 
To: focus-linux@securityfocus.com
Date: Fri, 21 Sep 101 11:51:55 -0500 (EST)


> > Hi everyone
> > I don't suppose one of our iptables gurus out there has an iptables rule
> > to filter out this damn nimda thing? I'm really annoyed about it
> > filling up my apache logz and would love to drop the packets 'ere they
> > get to the apache server . . .
>
> You may be able to deny it with the string matching patch from the patch-o-matic
> section in iptables 1.2.3:
>
> string.patch
> The string patch:
> Author: Emmanuel Roger <winfield@freegates.be>
> Status: Working
>
> This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to
> match a string in a whole packet.
>
> THIS PATCH REQUIRES AT LEAST KERNEL 2.4.9 !!!
>
> Be aware that the patch-o-matic is not always considered to be stable and bug-free.
>
> Read the iptables INSTALL file for information on how to apply the patches.
> Oh, and the string match? I guess "c+dir" will take care of most of it. Read the
> security focus analysis available at
> <URL:http://aris.securityfocus.com/alerts/nimda/010919-Analysis-Nimda.pdf>
>
> Hope this helps,

        This bring up something I was about to start working on....
Now, maybe I won't bother... I've got several questions though.....

        Does the patch cause a considerable amount of overhead (CPU
wise).

        It this something that will eventually make it into the linux
kernel source tree?

        My idea was to write a simple TCP redirect routine that looked
for these sorts of things (ie - "c+dir", etc). The redirect routine
would store known "exploitz" for NT servers in a file.... When the
TCP redirector is executed, it would load these into a array, and
parse incoming connection for these strings _before_ redirecting them
to the NT server.... This way, you could firewall the hell out of the
NT server (making port 80 only accessable by you LAN/Network), and
use your favorite *nix based system to protect/scan incoming connections.

        A new IIS security problems comes out? No problem.....
add it to the exploit file, kill -1 the redirector, and you're
NT server is virtually "patched" until the admin can get to it.

        With this string kernel patch, should I even bother with
this project now?

                                        - Champ Clark
                                          Vistech Communications, Inc



Relevant Pages

  • Re: IPTABLES STRING PATCH LIMITATION
    ... I really think you need to have a rethink about your use of IPTables. ... STRING can put a lot of load on a computer as every single ... You can also tweak the web server to look at the url's before they are ...
    (comp.os.linux.networking)
  • Re: iptables anti-nimda anyone?
    ... Subject: iptables anti-nimda anyone? ... I can see where having this string filter could be handy. ... extensions you want to generate kernel patches for. ... The string patch: ...
    (Focus-Linux)
  • Scripting fun...
    ... people who know what they're doing to laugh at. ... and every IP trying to retrieve a file of that name (or string) I ... Yahoo web crawlers. ... not already in the iptables to the iptables drop list. ...
    (Ubuntu)
  • Re: iptables anti-nimda anyone?
    ... Subject: iptables anti-nimda anyone? ... You may be able to deny it with the string matching patch from the patch-o-matic ... Oh, and the string match? ...
    (Focus-Linux)
  • Re: NIS client couldnt log in
    ... >> off iptables, the client bound to the server and all the yptools ... and ypbind in broadcast mode (ypcat and ypwhich would ... >> work at all if i specified the server). ... Further, ypbind uses the ...
    (RedHat)