Date: Sun, 23 Sep 2001 11:03:23 -0600 (MDT) From: David G Andersen <danderse@cs.utah.edu> To: smithi@nimnet.asn.au (Ian Smith) Cc: danderse@cs.utah.edu (David G Andersen), chris@JEAH.net (Chris Byrnes), security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <200109231703.f8NH3NK24837@faith.cs.utah.edu> In-Reply-To: <Pine.BSF.3.96.1010924022816.9322B-100000@gaia.nimnet.asn.au> from "Ian Smith" at Sep 24, 2001 02:56:40 AM
next in thread | previous in thread | raw e-mail | index | archive | help
Lo and behold, Ian Smith once said: > > Not an option here, but it's the large number of entries in *-error.log > that I'd like to be rid of. *-access.log I can just grep out before log > analysis, if not exclude in the analyser config. Disable error logging? :) > Cute. Will play. However there are other directories too; dumping > ANY request containing cmd.exe or root.exe would do it best here. Use mod_rewrite to redirect all accesses to that script. RewriteEngine on RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi (I haven't tested this syntax. Test it first. :) > But does *error.log still get hit? I dealt with /default.ida by giving > 'em a one-line one, which at least meant no error logging while reducing > response traffic by two thirds, but poring through apache docs - which I > must be too thick to find easy reading, looking for some way to provide > some short but valid response to such a range of URLs, I've not yet been > able to nut out. Any suggestions? The rewriting I specified above will do what you want. It maps it to a valid script request. It'll show up in *access_log. > I'd love to find some way of pre-filtering these NIMDA requests and just > dropping them on the floor before apache even considered DNS lookups (?) I'm vaguely surprised you have reverse DNS resolution enabled. You could make life a lot easier on yourself by switching to post-resolution for a while, and do the DNS lookup _after_ filtering out the bogus requests. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109231703.f8NH3NK24837>