Viruses, ipchains, dynamic rules, rules with regular expressions
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Viruses, ipchains, dynamic rules, rules with regular expressions
All,
My Redhat 7.1 box is getting 10,000+ virus hits per day, ranging from code red 1 & 2 to that nimrad(sp?) worm. Being a newbie, I have a few questions:
1. Is there any way to dynamically add rules to ipchains to block these IP's?
2. Is it possible to automatically send an e-mail to the offending IP's to inform them that they are infected?
3. Can I use regex's in ipchains rules? For example, two files that are always requested (HTTP GET) are root.exe and cmd.exe, although the worms check for the files in many diferrent directories.
I realize that these attacks are targeted to IIS (which I have on another box, but it is well patched and protected by Mcafee online), but I'd like to do my part to help stop them.
4. Is it possible to redirect these GET requests to another URL, so if a human from that site actually ever surfs to my site they will get a page that says they are blocked because their pc is infected?
5. As a consequence, my log files (spec. error_log and access_log) are VERY long now. Is there any way I can can reset them every so often?
1. Yes. you could install Snort (snort.org) and use one of the helper apps like Guardian(?) to skim tru the snort.log and add a rule to your firewall script and/or hosts.deny. Snort has custom rulesets for detecting everything from benign http_cgi_post requests, to the IIS ida/exe stuff. Check if the address lists get pruned, else itll grow way too large.
2. IIRC, it can be done tru some (Snort) helper app, but with ISP's having to do a lot of work my bet is they just dump it in /dev/null. What's the name again of this wintendo app that has this annoying feature?.. Sending it off to the IP also has no meaning since not every IP address has an email address attached, or is maintained at all, send it to the upstream ISP's abuse@address (where it is neatly archived at /dev/null) :-]
3. Unfortunately no. IIRC, Ipchains does not do packet content inspection this way. Like with all these type attacks, stopping these just needs a good admin on the other side, don't expect Really Great Signs Of Gratitude when covering them with emails at 10/p/m rate.
4. Apache can be configured maybe with something like:
<location *.exe>
deny from all
errordocument 403 /goaway.html
</location>
5. Log archiving is done tru logrotate, started daily from cron, also *not* adding "-l" (logging) on "regular" rules helps a lot, once the offending IP is detected it doesnt make much sense to me to keep logging that address, unless youve got some statistics fetish :-]
Thanks unSpawn. I will check out snort and the other points, and see if I can't expand my newbie mind a bit more.
I'm learning quickly, but the more I learn, the more I realize it is going to take a long time for me to be as good at Linux as I am on windows. But the effort is well worth it. MS has become far to paternalistic lately (I think they are under the mistaken impression this is _their_ computer!), and as my programming abilities have grown, I am infuriated by not have access to the source code.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.