Re: "Nimda"?
From: Devdas Bhagat (devdas@worldgatein.net)Date: 02/27/02
- Previous message: Joshua_Hiller@aeanet.org: "Re: "Nimda"?"
- In reply to: Bradley, Tony: ""Nimda"?"
- Next in thread: Jay D. Dyson: "Re: "Nimda"?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Feb 2002 14:10:06 +0530 From: Devdas Bhagat <devdas@worldgatein.net> To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
On 26/02/02 19:51 -0500, Bradley, Tony wrote:
> However, I have noticed in my logs that I have about 1000 "Nimda"-like hits
> a day. I have cut & paste a portion of my log below.
You can safely ignore these. They do no harm.
> First of all, since these hits are trying to access Windows directories do
> they pose any threat to my Linux machine? Second of all, is there any way
> for me to block these types of hits from my server?
You can go in for a reverse proxy firewall (toss squid in front). Or you
might use the iptables string match functionality.
This was discussed in the list when nimda first hit.
> If anyone can recommend a good book or resource for hardening my Linux
> server and / or any good IDS, antivirus and other such security tools that
> would be appreciated as well.
Since this is a RH box, "Securing and Optimizing RedHat Linux" on
http://www.linuxdoc.org is what would be your first step.
Simple method (from scratch):
Make a lean base install. You don't need development tools. I recommend
a debugger though (strace and ltrace are very useful).
Bring the box into single user mode, and up the network stack
(/etc/init.d/network start). No other services. Verify with netstat that
nothing is listening.
Download and apply all relevant patches (ftp://updates.redhat.com/ or a
mirror).
Get the latest stable kernel, and compile (recommended but not
absolutely necessary).
Disconnect the network cable, and bring the box into run level 3
(currently, reboot, since you also upgrade your kernel).
Ensure that only the services you want run, all others are to be turned
off.
#chkconfig service off
Install tripwire if not installed from the installation media.
Generate the tripwire database. Move it to a RO medium like CDR.
Snort ( http://www.snort.org ) is a good NIDS.
I suggest installing logcheck as well ( http://www.psionic.com ) .
Connect the network cable.
You are running :).
Then just keep on the lookout for patches and security advisories.
HTH.
Devdas Bhagat
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Joshua_Hiller@aeanet.org: "Re: "Nimda"?"
- In reply to: Bradley, Tony: ""Nimda"?"
- Next in thread: Jay D. Dyson: "Re: "Nimda"?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
