From owner-freebsd-security  Sun Sep 23 10: 3:31 2001
Delivered-To: freebsd-security@freebsd.org
Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100])
	by hub.freebsd.org (Postfix) with ESMTP id A685637B40A
	for <security@FreeBSD.ORG>; Sun, 23 Sep 2001 10:03:25 -0700 (PDT)
Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108])
	by wrath.cs.utah.edu (8.11.6/8.11.1) with ESMTP id f8NH3OT23311;
	Sun, 23 Sep 2001 11:03:24 -0600 (MDT)
From: David G Andersen <danderse@cs.utah.edu>
Received: (from danderse@localhost)
	by faith.cs.utah.edu (8.11.1/8.11.1) id f8NH3NK24837;
	Sun, 23 Sep 2001 11:03:23 -0600 (MDT)
Message-Id: <200109231703.f8NH3NK24837@faith.cs.utah.edu>
Subject: Re: New worm protection
To: smithi@nimnet.asn.au (Ian Smith)
Date: Sun, 23 Sep 2001 11:03:23 -0600 (MDT)
Cc: danderse@cs.utah.edu (David G Andersen),
	chris@JEAH.net (Chris Byrnes), security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.96.1010924022816.9322B-100000@gaia.nimnet.asn.au> from "Ian Smith" at Sep 24, 2001 02:56:40 AM
X-Mailer: ELM [version 2.5 PL2]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Lo and behold, Ian Smith once said:
> 
> Not an option here, but it's the large number of entries in *-error.log
> that I'd like to be rid of.  *-access.log I can just grep out before log
> analysis, if not exclude in the analyser config.

   Disable error logging? :)

> Cute.  Will play.  However there are other directories too; dumping
> ANY request containing cmd.exe or root.exe would do it best here.

  Use mod_rewrite to redirect all accesses to that script.

RewriteEngine on
RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi

(I haven't tested this syntax.  Test it first. :)

> But does *error.log still get hit?  I dealt with /default.ida by giving
> 'em a one-line one, which at least meant no error logging while reducing
> response traffic by two thirds, but poring through apache docs - which I
> must be too thick to find easy reading, looking for some way to provide
> some short but valid response to such a range of URLs, I've not yet been
> able to nut out.  Any suggestions?

  The rewriting I specified above will do what you want.  It maps it
to a valid script request.  It'll show up in *access_log.

> I'd love to find some way of pre-filtering these NIMDA requests and just
> dropping them on the floor before apache even considered DNS lookups (?)

  I'm vaguely surprised you have reverse DNS resolution enabled.
You could make life a lot easier on yourself by switching to post-resolution
for a while, and do the DNS lookup _after_ filtering out the bogus
requests.

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message