Date: Sun, 23 Sep 2001 02:36:46 -0600 (MDT) From: David G Andersen <danderse@cs.utah.edu> To: chris@JEAH.net (Chris Byrnes) Cc: security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <200109230836.f8N8akx29012@faith.cs.utah.edu> In-Reply-To: <006701c141dd$8f185940$24f2fa18@mdsn1.wi.home.com> from "Chris Byrnes" at Sep 20, 2001 09:07:18 AM
next in thread | previous in thread | raw e-mail | index | archive | help
Lo and behold, Chris Byrnes once said: > > Has anyone written an easy-to-use ipfw rule or some kind of script that will > help with this new worm? Someone already pointed out disabling logging on your webserver. He also suggested a Tarpit-like approach. I like the following simple script, which is what I run on my webservers. mkdir DOCROOT/scripts # Cover the two alternate bits as well ln -s DOCROOT/scripts DOCROOT/_mem_bin ln -s DOCROOT/scripts DOCROOT/_vti_bin cat > DOCROOT/scripts/.htaccess ErrorDocument 404 /scripts/nph-foo.cgi <EOF> cat > DOCROOT/scripts/nph-foo.cgi #!/usr/bin/perl sleep(5); exit(0); <EOF> NIMDA doesn't hang out for very long waiting for a response to the script headers, so a labrea-tarpit like approach won't actually be particularly effective. The sleep(5) will slow it down a little bit, and the exit(0) will make it return with no data sent back, not even a 404. Which will help a bit on the outbound bandwidth, but, of course won't help on the inbound. Others have posted scripts to NANOG (see http://www.nanog.org/ and check the archive) that will automatically trigger ipfw / ipchains additions, but, as always, be particularly careful with those. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109230836.f8N8akx29012>