Date: Fri, 28 Sep 2001 00:28:50 -0400 From: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net> To: freebsd-questions@FreeBSD.org, freebsd-questions@FreeBSD.org Subject: Re: Nimda....suggestions for minimising impact? Message-ID: <20010928002850.A64426@acadia.ne.mediaone.net> In-Reply-To: <076a01c147c2$b2cc8560$0200a8c0@mark2> References: <076a01c147c2$b2cc8560$0200a8c0@mark2>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09/28/01 03:09 AM, Mark Hughes sat at the `puter and typed: > Okay.....I've just checked the httpd error log on my freeBSD box which is > acting as my firewall/gateway for a small home network through an ADSL > connection and out into the big wide world. > > I'm getting over two thousand scans a day now for Nimda, which I would say > is "fairly annoying", to say the least. It pales the 50 or so a day that I > was getting before for code-red-a-likes into insignificance - you can see > the date the virus was released due to a massive increase in the number of > errors, which seems to be doubling every three or four days aswell... > > So, what I want to know is, what do people recommend for minimising the > impact of this? Ideally I'd want to drop the packets just as soon as > possible, I don't think I want to get into apache::codered and the like - I > just want to minimise the impact and possibly log each IP address that > causes an attack once, rather than appending miles and miles of errors to > the error log. > > So, what do people recommend? I'm running IPFW, ppp -nat is doing my > connection sharing, apache is my webserver....am I best just letting it get > on with it or is there some way I can filter out this crap before it gets > in, as it were? > > I'd rather not disable apache, but it's not vital that it remains > externally accessible - would disabling it help at all? Is there anything I > can make apache say back to the infected computer that would say "no, get > lost" as it were, and make it give up? > > Obviously, these will be things that will be useful for anyone with an > internet connected freebsd box I'd guess, due to the nature of the beast. Personally, I use Apache::CodeRed, and it does a good job of nagging the system admin once a day. I also hacked it to include abuse@<machines parent domain> for when the machine is several subdomains down, and came up with a slightly modified version for Nimda. But that's not what you asked. I use this to restrict the log entries from httpd.conf: SetEnvIf Request_URI \.exe$ ms_bs SetEnvIf Request_URI \.dll$ ms_bs SetEnvIf Request_URI \default.ida ms_bs CustomLog /var/log/httpsd/access_log common env=!ms_bs CustomLog /WWW/log/ms-bs_log common env=ms_bs Of course you need to fix the log path as appropriate for your system, and you can just leave out the last CustomLog line to simply not log the hits. They will still go into your error log, but unless you just stop port 80 at the firewall, that can only be helped by a rewrite rule (haven't figured out the exact syntax on that yet). HTH Lou -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ belief, n: Something you do not believe. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010928002850.A64426>