From owner-freebsd-security  Sun Sep 23  5: 7:33 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nyc.rr.com (nycsmtp3fa.rdc-nyc.rr.com [24.29.99.79])
	by hub.freebsd.org (Postfix) with ESMTP id 6F10D37B432
	for <security@freebsd.org>; Sun, 23 Sep 2001 05:07:29 -0700 (PDT)
Received: from equinox ([24.168.44.136]) by nyc.rr.com  with Microsoft SMTPSVC(5.5.1877.357.35);
	 Sun, 23 Sep 2001 08:07:28 -0400
Message-ID: <01f601c14428$63637e90$9865fea9@equinox>
From: "Jonathan M. Slivko" <jslivko@4evermail.com>
To: "Chris Byrnes" <chris@JEAH.net>, <security@freebsd.org>
References: <006701c141dd$8f185940$24f2fa18@mdsn1.wi.home.com>
Subject: Re: New worm protection
Date: Sun, 23 Sep 2001 08:07:59 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

The best kind of protection I can offer is to write a script that will scan
the apache logs and use ipfw to ban whole class C's that generate a 404.
That may be a little extreme, but it works. I will try and get a copy of the
code to you later. -- Jonathan

----- Original Message -----
From: "Chris Byrnes" <chris@JEAH.net>
To: <security@freebsd.org>
Sent: Thursday, September 20, 2001 10:07 AM
Subject: New worm protection


> Has anyone written an easy-to-use ipfw rule or some kind of script that
will
> help with this new worm?
>
> I have restricted Apache to just listen to my main two web IPs instead of
> all of the IPs (I have
> hundreds of domains and each of them previously had its own IP for
different
> reasons), and
> that's cut down the bandwidth use in half, but I'm still about double what
> my daily normal bandwidth
> usage is.
>
> Frustration is high, and money issues are going to surface soon.  Any help
> would be appreciated.
>
>
> Chris Byrnes, Managing Member
> JEAH Communications, LLC
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message