Worms and Logs

From: Vince Hillier (vince@vince.lansystems.com)
Date: 10/03/01


Subject: Worms and Logs
From: Vince Hillier <vince@vince.lansystems.com>
To: security-basics@securityfocus.com
Date: 03 Oct 2001 11:38:38 -0500
Message-Id: <1002127118.16708.18.camel@big>


  Hello, many of you, like myself are probably just about sick of all
the noise that has been happening in our logs lately, making routine
audits take alot longer then they should, filling harddisks rather
quickly, and just being a big annoyance.

  Anyway, I currently am running the 2.2.x series of the the Linux
kernel, which prevents me from running IPTables and filtering these
requests with the string option (Oh I want it bad :P), what is
preventing me from upgrading to the Linux 2.4 series with IPTables is
the lack of kernel patches for security, like the openwall kernel
patches. They make my life alot easier, and keep users happy at the
same time!

  I am only aware of 1 patch that exists for the 2.4 series, and that is
one by the name of grsecurity. Has anyone had any experience with
grsecurity? Any feedback? positive/negative? I would really like to
stick with openwall, but they said there would be no support for the 2.4
series until 2.4.10, that is here now and I just checked their site and
it says there will be no support for the 2.4 series until at least
2.4.15. So I'm not sure on the status of their patches.

  Anyhow my main reason for writing this is to ask you what methods have
you deployed to keep your logs from getting filled with garbage like
Nimda, I am logging 16 hits per host, at a nasty rate causing Apache and
my IDS to go nuts. At one point I just shut the webserver off, it
doesn't have anything of much importance on it, but it does serve as a
reference/journal for me, which I think is rather important. Before you
say just block port 80 from the world, and allow specific hosts access,
this is not possible as there is some outside people who frequent the
site from various mobile locations... it would be very hard to get all
their IP addresses (most of which are dynamic) and allow just that
traffic. Plus a new visitor is always good ;)

  Some of the methods I have considered/deployed are routing all
offeding traffic to 127.0.0.1, this is done by taking the IP addresses
from the apache/IDS logs then adding them to the routing table with
127.0.0.1 as the gateway - at first this was very effective, when Nimda
was in it's prime, there was literally tonnes of repeat offenders, now
it is just unique hosts for the most part. I have also considered
deploying the squid proxy to block out offeding requests before they hit
the webserver. That would cut alot of the noise in the Apache logs - at
least. And of course I've debated on upgrading to 2.4, but haven't due
to reasons stated above.

Thanks
- Vince