Re: block CodeRed/Nimda at the firewall?

From: Chris Lowth (dont_at_want.spam)
Date: 05/09/03

Next message: Harry Putnam: "Re: block CodeRed/Nimda at the firewall?"
Previous message: Chris Lowth: "Kazaa! iptables table sizes and performance"
In reply to: David Filmer: "block CodeRed/Nimda at the firewall?"
Next in thread: D. Stussy: "Re: block CodeRed/Nimda at the firewall?"
Reply: D. Stussy: "Re: block CodeRed/Nimda at the firewall?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 09 May 2003 16:01:23 +0100

David Filmer wrote:

> I can't believe that there are STILL so many CR/Nimda infected servers
> out there. I get several probes an hour, and each one dumps a dozen
> lines of garbage into my Apache logfiles. It makes it hard to see
> content that would actually be important and relevant...
>
> Can I drop these bozos right at the firewall? If they never even get
> to the httpd server then they won't ever show up in my httpd logs (and
> they would never distract Apache in the first place). But I don't see
> any rule syntax that would allow me to drop based on a string in a
> file request.
>
> Is it possible, for example, drop any file request that contains
> "/var/www/html/c/winnt/system32/cmd.exe"?

Yes I belive so - if you use the 'string' module of iptables. I havent tried
it myself, and think you'll need to rebuild kernels and iptables tools
since the module doesnt seem to part of the default installation.

An alternative approach is to create a CGI script on your server that is
invoked by a request for the cmd.exe file, and that creates an iptables
REJECT rule on future SYN packets (on the webserver itself rather than the
firewall).

Or -- a write (perl) script to parse the apache log files and do the same.
Run it via cron how ever often you wish.

Hope this helps.

Chris

-- 
Real address: chris at lowth dot sea oh em.
GPL e-mail anti-virus: http://protector.sourceforge.net
IPTables wizzards: http://www.lowth.com/LinWiz

Next message: Harry Putnam: "Re: block CodeRed/Nimda at the firewall?"
Previous message: Chris Lowth: "Kazaa! iptables table sizes and performance"
In reply to: David Filmer: "block CodeRed/Nimda at the firewall?"
Next in thread: D. Stussy: "Re: block CodeRed/Nimda at the firewall?"
Reply: D. Stussy: "Re: block CodeRed/Nimda at the firewall?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[SLE] unknown connect from my linux to my linux on port 443
... In my iptables logfiles I found in regular intervals the following ... As I discovered this I set my iptables rule to DROP this kind of traffic ... traffic I got SYN & ACK & RST Flags in the logs but after setting the ... I´ve tried to find something in my apache logfiles but there is no ...
(SuSE)
Re: hosts.deny vs iptables
... Web Server with virtual hosts; FC4; IPTables and SELinux Running ... Because, apache does not use TCP wrappers, hosts.deny would be ineffective for http requests. ...
(Fedora)
Re: [PHP] problem with url_fopen on free hosting environment
... I tried to limit connections with iptables, but it did not work out. ... I know it just limits new connections, and I thought this would work out, but it didn't. ... There's also mod_bandwidth for Apache, not included in the aforementioned topic. ... Confidentiality: ...
(php.general)
Re: DNS or URL redirector for WiFi hotspot?
... >> So what I did was add the apache user to sudoers but only for the ... >> iptables command. ... >Why not just get apache to write some kind of flag file, ... When I get some time I'll try limiting the sudoers apache entry to ...
(uk.comp.os.linux)
mod_python apache directives
... I want to create a catch-all python script, ... for any file request in a certain directory. ... I thought this apache ... setup would do it, but it doesn't: ...
(comp.lang.python)