From owner-freebsd-security Sun Sep 23 16:22:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from sv07e.atm-tzs.kmjeuro.com (sv07e.atm-tzs.kmjeuro.com [193.81.94.207]) by hub.freebsd.org (Postfix) with ESMTP id 39D1937B408 for ; Sun, 23 Sep 2001 16:22:28 -0700 (PDT) Received: (from root@localhost) by sv07e.atm-tzs.kmjeuro.com (8.11.5/8.11.4) id f8NNMQj82453 for freebsd-security@freebsd.org; Mon, 24 Sep 2001 01:22:26 +0200 (CEST) (envelope-from k.joch@kmjeuro.com) Received: from karl (e31f48139ccbe44ff66921e5c712c212@adsl.ooe.kmjeuro.com [193.154.186.21]) (authenticated) by sv07e.atm-tzs.kmjeuro.com (8.11.5/8.11.4) with ESMTP id f8NNMGv82184; Mon, 24 Sep 2001 01:22:16 +0200 (CEST) (envelope-from k.joch@kmjeuro.com) Message-ID: <060301c14487$048f79f0$0a05a8c0@ooe.kmjeuro.com> From: "Karl M. Joch" To: "David Kirchner" , References: <20010923135836.Q85958-100000@localhost> Subject: Re: New worm protection Date: Mon, 24 Sep 2001 01:24:41 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X--virus-scanner: scanned for Virus and dangerous attachments on sv07e.atm-tzs.kmjeuro.com (System Setup/Maintainance: http://www.ctseuro.com/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have made a quick and may dirty solution which helps me alot on the servers. it handles multiple error files. my error files are resetted onec every 24h. so i dont get to big files. ############################################ # include trailing / in run & wrk $run = "/usr/local/blockwins/"; $wrk = "/usr/local/blockwins/data/"; # create it in advance $logfiles = "/usr/local/blockwins/logfiles"; # made by ls /var/log/your-apache-error-logs $domfile = "IPs"; $rule = "50"; # the ipfw rule you want to use #*************************************************** end of config # Datum vorfuellen: chop($dat=`date "+%y/%m/%d %H:%M"`); $cnt=0; # ips $cnto=0; # ips old $cnt2=0; # access # create domain/register file if non existent: dbmopen (%domains,"$wrk$domfile",0640); dbmclose (%domains); dbmopen (%domains,"$wrk$domfile",0640); # GET OUR LOGFILES open ("INPUT",$logfiles) || die "$0: cannot open $logfiles !\n"; while () { chop ($_); open ("LOG",$_) || die "cannot open $_! \n"; while () { ## [Mon Sep 10 10:38:43 2001] [error] [client 193.215.176.192] File does not exist: /usr/local/www/default.ida $virus=0; if (/winnt/) { $virus=1;}; if (/root.exe/) { $virus=1;}; if (/cmd.exe/) { $virus=1;}; if (/default.ida/) { $virus=1;}; if ($virus) { #block them: $results=$_; $results=~ s/.*client ([0-9.]+).*\/(.*)$/$1##$2/; ($ip,$comm) = split(/##/,$results); if ( $domains{$ip}) { $cnt2++; $domains{$ip}=$comm; ## last command } else { $cnt++; $domains{$ip}=$comm; ## last command } } } } print "########################################################################\n" ; print "Angriffe von Code Red/Nimda \n"; print "########################################################################\n" ; print "DIFFERNT IPs: $cnt\n"; print "########################################################################\n" ; print "TOTAL ACCESS: $cnt2\n"; print "########################################################################\n" ; close (INPUT); # NOW LETS CHECK EVERYTHING: # clear the one rule: @args = ("/sbin/ipfw $rule delete"); system(@args) == 0 or print "system @args failed: $?\n"; # add all of our idiots: foreach $dom (sort keys %domains) { $cnto++; # print "$dom - denied access to the server with rule $rule\n"; @args = ("/sbin/ipfw $rule add deny all from $dom to any >/dev/null"); system(@args) == 0 or die "system @args failed: $?"; } print "########################################################################\n" ; print "All Rules (Total IPS: $cnto) added to Firewall\n"; print "Known Windows Systems denied access!\n"; print "########################################################################\n" ; dbmclose (%domains); -- -- Best regards / Mit freundlichen Gruessen, Karl M. Joch KMJ Consulting - CTS Consulting & Trade Service http://www.kmjeuro.com - http://www.ctseuro.com k.joch@kmjeuro.com - k.joch@ctseuro.com GSM : +43-664-3407888 Unsere Services: http://www.proline.at - Netzwerk und Sicherheitstechnik http://www.eushop.net - Onlineshop und Applikationen einfach mieten http://www.freebsd.at - Power Operating System ----- Original Message ----- From: "David Kirchner" To: Sent: Sunday, September 23, 2001 11:00 PM Subject: Re: New worm protection > Would it be possible to create an accept-filter module (ala accf_http) > that could take care of these and future similar filters, server-wide? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message