From owner-freebsd-security@FreeBSD.ORG Sat Jan 10 16:01:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74BF216A4CE for ; Sat, 10 Jan 2004 16:01:52 -0800 (PST) Received: from my.ipfw.dk (cpe.atm4-0-53237.0x3ef3a826.bynxx8.customer.tele.dk [62.243.168.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BC5D43D49 for ; Sat, 10 Jan 2004 16:01:51 -0800 (PST) (envelope-from freebsd-security@ust.dk) Received: from logibussen (logibussen.ipfw.dk [192.168.1.5]) by my.ipfw.dk (Postfix) with SMTP id 5D7A560F5 for ; Sun, 11 Jan 2004 01:01:50 +0100 (CET) From: "Laust S. Jespersen" To: Date: Sun, 11 Jan 2004 01:01:56 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20040111004328.A50107-100000@doppelganger.el.ntu-kpi.kiev.ua> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: RE: Need some help on security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jan 2004 00:01:52 -0000 Hi David, > How about to use ipfw.ko? What Taras is suggesting here, is for you to use the loadable kernel module version of ipfw. For more information on loadable kernel modules see "man kldload" Something along the lines of: "kldload ipfw && ipfw add 65334 allow ip from any to any" The last part (ipfw and so on) should let you be able to keep your connection to the server if you're not on via a local console. Also "man ipfw" is a fantastic manpage. With regards the attacks on your webserver, there is the option of firewalling it out (ie. ipfw add 10000 deny ip from x.x.x.x to me) or using apache's built-in access.conf mechanism. You could do something in your access.conf along the lines of: Order Allow,Deny Allow from all Deny from 211.233.89.189 Personally I'd go with the firewalling, although sometimes it is not practical if the websites in question are not your own. Lastly, just to ease your mind, all the attacks in your original mail are IIS attacks and as such should not work on your webserver :) To illustrate from my own logfiles :) me@my:/var/log>grep '[root|cmd].exe' httpd-error.log|wc -l 27938 Hope this helps. Med venlig hilsen / Best Regards Laust Jespersen http://www.ust.dk ====================================================================== Viking Rule of Acquisition 1: Remember where you beached the long ship