LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-24-2001, 09:50 PM   #1
marktaff
Member
 
Registered: Jun 2001
Location: Bellevue, WA (Seattle)
Distribution: SuSE 9.3-10.0
Posts: 53

Rep: Reputation: 15
Viruses, ipchains, dynamic rules, rules with regular expressions


All,

My Redhat 7.1 box is getting 10,000+ virus hits per day, ranging from code red 1 & 2 to that nimrad(sp?) worm. Being a newbie, I have a few questions:

1. Is there any way to dynamically add rules to ipchains to block these IP's?

2. Is it possible to automatically send an e-mail to the offending IP's to inform them that they are infected?

3. Can I use regex's in ipchains rules? For example, two files that are always requested (HTTP GET) are root.exe and cmd.exe, although the worms check for the files in many diferrent directories.

I realize that these attacks are targeted to IIS (which I have on another box, but it is well patched and protected by Mcafee online), but I'd like to do my part to help stop them.

4. Is it possible to redirect these GET requests to another URL, so if a human from that site actually ever surfs to my site they will get a page that says they are blocked because their pc is infected?

5. As a consequence, my log files (spec. error_log and access_log) are VERY long now. Is there any way I can can reset them every so often?

Thanks.

Mark
 
Old 09-25-2001, 04:45 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
1. Yes. you could install Snort (snort.org) and use one of the helper apps like Guardian(?) to skim tru the snort.log and add a rule to your firewall script and/or hosts.deny. Snort has custom rulesets for detecting everything from benign http_cgi_post requests, to the IIS ida/exe stuff. Check if the address lists get pruned, else itll grow way too large.

2. IIRC, it can be done tru some (Snort) helper app, but with ISP's having to do a lot of work my bet is they just dump it in /dev/null. What's the name again of this wintendo app that has this annoying feature?.. Sending it off to the IP also has no meaning since not every IP address has an email address attached, or is maintained at all, send it to the upstream ISP's abuse@address (where it is neatly archived at /dev/null) :-]

3. Unfortunately no. IIRC, Ipchains does not do packet content inspection this way. Like with all these type attacks, stopping these just needs a good admin on the other side, don't expect Really Great Signs Of Gratitude when covering them with emails at 10/p/m rate.

4. Apache can be configured maybe with something like:
<location *.exe>
deny from all
errordocument 403 /goaway.html
</location>

5. Log archiving is done tru logrotate, started daily from cron, also *not* adding "-l" (logging) on "regular" rules helps a lot, once the offending IP is detected it doesnt make much sense to me to keep logging that address, unless youve got some statistics fetish :-]

HTH.
 
Old 09-25-2001, 05:01 AM   #3
marktaff
Member
 
Registered: Jun 2001
Location: Bellevue, WA (Seattle)
Distribution: SuSE 9.3-10.0
Posts: 53

Original Poster
Rep: Reputation: 15
Thanks

Thanks unSpawn. I will check out snort and the other points, and see if I can't expand my newbie mind a bit more.

I'm learning quickly, but the more I learn, the more I realize it is going to take a long time for me to be as good at Linux as I am on windows. But the effort is well worth it. MS has become far to paternalistic lately (I think they are under the mistaken impression this is _their_ computer!), and as my programming abilities have grown, I am infuriated by not have access to the source code.

Mark
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables and dynamic rules.... ProtoformX Linux - Security 10 10-20-2004 08:50 AM
IPChains Rules parikrama Linux - Security 9 03-19-2004 10:23 PM
ipchains forwarding rules scheidel21 Linux - Networking 0 01-20-2004 08:37 AM
clearing up ipchains rules antken Linux - Networking 6 11-04-2002 04:26 PM
Dynamic Firewall Rules DavidPhillips Linux - General 2 12-06-2001 07:41 PM


All times are GMT -5. The time now is 06:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration