Date: Thu, 27 Sep 2001 21:51:33 -0700 From: "Kory Hamzeh" <kory@avatar.com> To: <freebsd-questions@FreeBSD.org> Subject: RE: Nimda....suggestions for minimising impact? Message-ID: <005f01c147d9$3f307460$14ce21c7@avatar.com> In-Reply-To: <20010928002850.A64426@acadia.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Loius, Can I get a copy of your CodeRed module? Is it easy to install and setup? Thanks, Kory > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Louis LeBlanc > Sent: Thursday, September 27, 2001 9:29 PM > To: freebsd-questions@FreeBSD.org; freebsd-questions@FreeBSD.org > Subject: Re: Nimda....suggestions for minimising impact? > > > On 09/28/01 03:09 AM, Mark Hughes sat at the `puter and typed: > > Okay.....I've just checked the httpd error log on my freeBSD > box which is > > acting as my firewall/gateway for a small home network through an ADSL > > connection and out into the big wide world. > > > > I'm getting over two thousand scans a day now for Nimda, which > I would say > > is "fairly annoying", to say the least. It pales the 50 or so a > day that I > > was getting before for code-red-a-likes into insignificance - > you can see > > the date the virus was released due to a massive increase in > the number of > > errors, which seems to be doubling every three or four days aswell... > > > > So, what I want to know is, what do people recommend for minimising the > > impact of this? Ideally I'd want to drop the packets just as soon as > > possible, I don't think I want to get into apache::codered and > the like - I > > just want to minimise the impact and possibly log each IP address that > > causes an attack once, rather than appending miles and miles of > errors to > > the error log. > > > > So, what do people recommend? I'm running IPFW, ppp -nat is doing my > > connection sharing, apache is my webserver....am I best just > letting it get > > on with it or is there some way I can filter out this crap > before it gets > > in, as it were? > > > > I'd rather not disable apache, but it's not vital that it remains > > externally accessible - would disabling it help at all? Is > there anything I > > can make apache say back to the infected computer that would > say "no, get > > lost" as it were, and make it give up? > > > > Obviously, these will be things that will be useful for anyone with an > > internet connected freebsd box I'd guess, due to the nature of > the beast. > > Personally, I use Apache::CodeRed, and it does a good job of nagging > the system admin once a day. I also hacked it to include > abuse@<machines parent domain> for when the machine is several > subdomains down, and came up with a slightly modified version for > Nimda. But that's not what you asked. > > I use this to restrict the log entries from httpd.conf: > > SetEnvIf Request_URI \.exe$ ms_bs > SetEnvIf Request_URI \.dll$ ms_bs > SetEnvIf Request_URI \default.ida ms_bs > > CustomLog /var/log/httpsd/access_log common env=!ms_bs > CustomLog /WWW/log/ms-bs_log common env=ms_bs > > Of course you need to fix the log path as appropriate for your system, > and you can just leave out the last CustomLog line to simply not log > the hits. They will still go into your error log, but unless you just > stop port 80 at the firewall, that can only be helped by a rewrite rule > (haven't figured out the exact syntax on that yet). > > HTH > Lou > -- > Louis LeBlanc leblanc@acadia.ne.mediaone.net > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > http://acadia.ne.mediaone.net ԿԬ > > belief, n: > Something you do not believe. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005f01c147d9$3f307460$14ce21c7>