Re: Filtering Code Red with Iptables & RH 7.3
From: Luke Vogel (luke@bell-bird.com.au)Date: 06/16/02
- Next message: RainbowHat: "Re: Interesting fw log: "ICMP type 3 not embeddable""
- Previous message: Stevemeister: "Filtering Code Red with Iptables & RH 7.3"
- In reply to: Stevemeister: "Filtering Code Red with Iptables & RH 7.3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Luke Vogel <luke@bell-bird.com.au> Date: Sun, 16 Jun 2002 13:17:05 +1000
Stevemeister wrote:
>
> Hi everyone,
>
> I'm running a small network with a dedicated firewall box running Red
> Hat 7.3, two network cards, and an Iptables firewall ruleset by David
> Ranch. I have a separate external www server on the local LAN running
> Red Hat 7.3 and Apache. Everything works fine (port forwarding, DHCP,
> Iptables, etc.). The problem is that my Apache server logs are being
> overwhelmed by Code Red/Nimda requests. I know that these hits are
> harmless to Linux, but they consume bandwidth and tend to render Website
> statistics useless. The kind folks over in alt.apache.configuration
> have come up with some nice solutions which redirect direct requests to
> separate log files, but this doesn't eliminate the thousands of 404
> replies which chew up limited bandwidth. So I have been looking for an
> Iptables solution instead. I ran across the following article, whose
> solution totally filtered my Nimda problem:
>
> http://www.samag.com/documents/s=1824/sam0201h/0201h_s1.htm
>
> But the requests for "default.ida" (Code Red?) continue. Here's the
> code I added to my firewall ruleset:
>
> # DROP HTTP packets related to CodeRed and Nimda
> # viruses silently
> $IPTABLES -t filter -A INPUT -i $EXT_IFACE -p tcp \
> -d $EXTIP --dport 80 -m string \
> --string "/default.ida?" -j DROP
> $IPTABLES -t filter -A INPUT -i $EXT_IFACE -p tcp \
> -d $EXTIP --dport 80 -m string \
> --string ".exe?/c+dir" -j DROP
> $IPTABLES -t filter -A INPUT -i $EXT_IFACE -p tcp \
> -d $EXTIP --dport 80 -m string \
> --string ".exe?/c+tftp" -j DROP
>
> I'm not sure why this doesn't work for the first rule, as the second and
> third rule work effectively. I've also tried changing the --string to
> "default.ida", "NNNNNNNNNN", etc. but no joy. Anyway, sorry for the
> long post. Any suggestions would be appreciated.
The / in "/default.ida?" might not be matching ...
> Thanks in advance
>
> Stevemeister
I tried this some time ago ... not a good idea ... I'm not sure entirely
what went wrong, but my understanding is that you are allowing a tcp
connection in, and killing it mid stream without a tcp-reset.
Eventually you may see a kernel panic! (I did have a few of these and
decided on a different method of dealing with worms ... i.e.. default
virtual host container in the apache config.
-- Regards Luke ------ Q: What does FAQ stand for? A: We are Frequently Asked this Question, and we have no idea. ------ C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html ------
- Next message: RainbowHat: "Re: Interesting fw log: "ICMP type 3 not embeddable""
- Previous message: Stevemeister: "Filtering Code Red with Iptables & RH 7.3"
- In reply to: Stevemeister: "Filtering Code Red with Iptables & RH 7.3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
