Re: block CodeRed/Nimda at the firewall?
From: Chris Lowth (dont_at_want.spam)
Date: Fri, 09 May 2003 16:01:23 +0100
David Filmer wrote:
> I can't believe that there are STILL so many CR/Nimda infected servers
> out there. I get several probes an hour, and each one dumps a dozen
> lines of garbage into my Apache logfiles. It makes it hard to see
> content that would actually be important and relevant...
> Can I drop these bozos right at the firewall? If they never even get
> to the httpd server then they won't ever show up in my httpd logs (and
> they would never distract Apache in the first place). But I don't see
> any rule syntax that would allow me to drop based on a string in a
> file request.
> Is it possible, for example, drop any file request that contains
Yes I belive so - if you use the 'string' module of iptables. I havent tried
it myself, and think you'll need to rebuild kernels and iptables tools
since the module doesnt seem to part of the default installation.
An alternative approach is to create a CGI script on your server that is
invoked by a request for the cmd.exe file, and that creates an iptables
REJECT rule on future SYN packets (on the webserver itself rather than the
Or -- a write (perl) script to parse the apache log files and do the same.
Run it via cron how ever often you wish.
Hope this helps.
-- Real address: chris at lowth dot sea oh em. GPL e-mail anti-virus: http://protector.sourceforge.net IPTables wizzards: http://www.lowth.com/LinWiz