Subject: Re: httpd access_logs-security et al
From: Jim Courtney (courtney@ieee.org)
Date: Sat Dec 29 2001 - 20:30:33 AKST
I used the 'string match' module for iptables to get rid of nimda.
$IPTABLES -A INPUT -m tcp -p tcp --dport 80 -j DROP -m string --string ".exe?"
Anybody trying to download a ".exe" gets their packets dropped before they
get to your web server. Works for me.
JC
At 05:48 PM 12/29/2001 -0900, W.D.McKinney wrote:
>Well something like this maybe ?
>
>#!/bin/sh
>tail -f /path/to/log/httpd/access_log|gawk '/default.ida|scripts/
>{system("/sbin/route add -host "$1" reject")}'
>
>
>
>William Bouterse <bill@bouterse.com> wrote:
> >
> > After the overwhelming inundation of Nimidia and others and continued
> > bloat of my home server access_logs and the recent malicious cracking
> into a member of this lists server, I was wondering....?
> >
> > Where is one of those nice little scripts I remember seeing
> > to bounce back the access attempts returning them to the attention
> > of the administrator of the infected server? Or other suggestions
> > for a realatively non-sophisticated linux user.
> >
> > I have misplaced the email concerning the cracked server and was wondering
> > what the outcome of it all was and whether or not the members of this
> group have a notification process setup whereas any comfirmed exploit is
> immediately announced Perhaps "SECURITY ALERT"!!!
> > ...Sometimes the list grows long with various discussions and I for one
> have a tendency to skim and sometimes forget which is why I am writing
> this....It would be nice to know the details of
> > security issues as it can affect us all both home user and business...
> >
> > I still have not perfected the balance between
> > too much and too little security
> >
> >
> > William Bouterse
> > Talkeetna, Ak.
>
>
>--
>W.D.McKinney (Dee)
>(907)349-4308 (Office)
>(907)349-2226 (Fax)
>http://3519098920
This archive was generated by hypermail 2a23 : Sat Dec 29 2001 - 20:28:00 AKST