From owner-freebsd-security Sun Sep 23 1:36:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 2961437B422 for ; Sun, 23 Sep 2001 01:36:48 -0700 (PDT) Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by wrath.cs.utah.edu (8.11.6/8.11.1) with ESMTP id f8N8akT06366; Sun, 23 Sep 2001 02:36:47 -0600 (MDT) From: David G Andersen Received: (from danderse@localhost) by faith.cs.utah.edu (8.11.1/8.11.1) id f8N8akx29012; Sun, 23 Sep 2001 02:36:46 -0600 (MDT) Message-Id: <200109230836.f8N8akx29012@faith.cs.utah.edu> Subject: Re: New worm protection To: chris@JEAH.net (Chris Byrnes) Date: Sun, 23 Sep 2001 02:36:46 -0600 (MDT) Cc: security@FreeBSD.ORG In-Reply-To: <006701c141dd$8f185940$24f2fa18@mdsn1.wi.home.com> from "Chris Byrnes" at Sep 20, 2001 09:07:18 AM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lo and behold, Chris Byrnes once said: > > Has anyone written an easy-to-use ipfw rule or some kind of script that will > help with this new worm? Someone already pointed out disabling logging on your webserver. He also suggested a Tarpit-like approach. I like the following simple script, which is what I run on my webservers. mkdir DOCROOT/scripts # Cover the two alternate bits as well ln -s DOCROOT/scripts DOCROOT/_mem_bin ln -s DOCROOT/scripts DOCROOT/_vti_bin cat > DOCROOT/scripts/.htaccess ErrorDocument 404 /scripts/nph-foo.cgi cat > DOCROOT/scripts/nph-foo.cgi #!/usr/bin/perl sleep(5); exit(0); NIMDA doesn't hang out for very long waiting for a response to the script headers, so a labrea-tarpit like approach won't actually be particularly effective. The sleep(5) will slow it down a little bit, and the exit(0) will make it return with no data sent back, not even a 404. Which will help a bit on the outbound bandwidth, but, of course won't help on the inbound. Others have posted scripts to NANOG (see http://www.nanog.org/ and check the archive) that will automatically trigger ipfw / ipchains additions, but, as always, be particularly careful with those. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message