From owner-freebsd-questions Thu Sep 27 21:51:34 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ns1.avatar.com (ns1.avatar.com [199.33.206.1]) by hub.freebsd.org (Postfix) with ESMTP id E683537B40F for ; Thu, 27 Sep 2001 21:51:29 -0700 (PDT) Received: from tomcat (tomcat.avatar.com [199.33.206.20]) by ns1.avatar.com (Postfix) with SMTP id AFDCBA4B0C for ; Thu, 27 Sep 2001 21:51:29 -0700 (PDT) From: "Kory Hamzeh" To: Subject: RE: Nimda....suggestions for minimising impact? Date: Thu, 27 Sep 2001 21:51:33 -0700 Message-ID: <005f01c147d9$3f307460$14ce21c7@avatar.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <20010928002850.A64426@acadia.ne.mediaone.net> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Loius, Can I get a copy of your CodeRed module? Is it easy to install and setup? Thanks, Kory > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Louis LeBlanc > Sent: Thursday, September 27, 2001 9:29 PM > To: freebsd-questions@FreeBSD.org; freebsd-questions@FreeBSD.org > Subject: Re: Nimda....suggestions for minimising impact? > > > On 09/28/01 03:09 AM, Mark Hughes sat at the `puter and typed: > > Okay.....I've just checked the httpd error log on my freeBSD > box which is > > acting as my firewall/gateway for a small home network through an ADSL > > connection and out into the big wide world. > > > > I'm getting over two thousand scans a day now for Nimda, which > I would say > > is "fairly annoying", to say the least. It pales the 50 or so a > day that I > > was getting before for code-red-a-likes into insignificance - > you can see > > the date the virus was released due to a massive increase in > the number of > > errors, which seems to be doubling every three or four days aswell... > > > > So, what I want to know is, what do people recommend for minimising the > > impact of this? Ideally I'd want to drop the packets just as soon as > > possible, I don't think I want to get into apache::codered and > the like - I > > just want to minimise the impact and possibly log each IP address that > > causes an attack once, rather than appending miles and miles of > errors to > > the error log. > > > > So, what do people recommend? I'm running IPFW, ppp -nat is doing my > > connection sharing, apache is my webserver....am I best just > letting it get > > on with it or is there some way I can filter out this crap > before it gets > > in, as it were? > > > > I'd rather not disable apache, but it's not vital that it remains > > externally accessible - would disabling it help at all? Is > there anything I > > can make apache say back to the infected computer that would > say "no, get > > lost" as it were, and make it give up? > > > > Obviously, these will be things that will be useful for anyone with an > > internet connected freebsd box I'd guess, due to the nature of > the beast. > > Personally, I use Apache::CodeRed, and it does a good job of nagging > the system admin once a day. I also hacked it to include > abuse@ for when the machine is several > subdomains down, and came up with a slightly modified version for > Nimda. But that's not what you asked. > > I use this to restrict the log entries from httpd.conf: > > SetEnvIf Request_URI \.exe$ ms_bs > SetEnvIf Request_URI \.dll$ ms_bs > SetEnvIf Request_URI \default.ida ms_bs > > CustomLog /var/log/httpsd/access_log common env=!ms_bs > CustomLog /WWW/log/ms-bs_log common env=ms_bs > > Of course you need to fix the log path as appropriate for your system, > and you can just leave out the last CustomLog line to simply not log > the hits. They will still go into your error log, but unless you just > stop port 80 at the firewall, that can only be helped by a rewrite rule > (haven't figured out the exact syntax on that yet). > > HTH > Lou > -- > Louis LeBlanc leblanc@acadia.ne.mediaone.net > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > http://acadia.ne.mediaone.net ԿԬ > > belief, n: > Something you do not believe. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message