-   Linux - Security (
-   -   Viruses, ipchains, dynamic rules, rules with regular expressions (

marktaff 09-24-2001 09:50 PM

Viruses, ipchains, dynamic rules, rules with regular expressions

My Redhat 7.1 box is getting 10,000+ virus hits per day, ranging from code red 1 & 2 to that nimrad(sp?) worm. Being a newbie, I have a few questions:

1. Is there any way to dynamically add rules to ipchains to block these IP's?

2. Is it possible to automatically send an e-mail to the offending IP's to inform them that they are infected?

3. Can I use regex's in ipchains rules? For example, two files that are always requested (HTTP GET) are root.exe and cmd.exe, although the worms check for the files in many diferrent directories.

I realize that these attacks are targeted to IIS (which I have on another box, but it is well patched and protected by Mcafee online), but I'd like to do my part to help stop them.

4. Is it possible to redirect these GET requests to another URL, so if a human from that site actually ever surfs to my site they will get a page that says they are blocked because their pc is infected?

5. As a consequence, my log files (spec. error_log and access_log) are VERY long now. Is there any way I can can reset them every so often?



unSpawn 09-25-2001 04:45 AM

1. Yes. you could install Snort ( and use one of the helper apps like Guardian(?) to skim tru the snort.log and add a rule to your firewall script and/or hosts.deny. Snort has custom rulesets for detecting everything from benign http_cgi_post requests, to the IIS ida/exe stuff. Check if the address lists get pruned, else itll grow way too large.

2. IIRC, it can be done tru some (Snort) helper app, but with ISP's having to do a lot of work my bet is they just dump it in /dev/null. What's the name again of this wintendo app that has this annoying feature?.. Sending it off to the IP also has no meaning since not every IP address has an email address attached, or is maintained at all, send it to the upstream ISP's abuse@address (where it is neatly archived at /dev/null) :-]

3. Unfortunately no. IIRC, Ipchains does not do packet content inspection this way. Like with all these type attacks, stopping these just needs a good admin on the other side, don't expect Really Great Signs Of Gratitude when covering them with emails at 10/p/m rate.

4. Apache can be configured maybe with something like:
<location *.exe>
deny from all
errordocument 403 /goaway.html

5. Log archiving is done tru logrotate, started daily from cron, also *not* adding "-l" (logging) on "regular" rules helps a lot, once the offending IP is detected it doesnt make much sense to me to keep logging that address, unless youve got some statistics fetish :-]


marktaff 09-25-2001 05:01 AM

Thanks unSpawn. I will check out snort and the other points, and see if I can't expand my newbie mind a bit more. :)

I'm learning quickly, but the more I learn, the more I realize it is going to take a long time for me to be as good at Linux as I am on windows. But the effort is well worth it. MS has become far to paternalistic lately (I think they are under the mistaken impression this is _their_ computer!), and as my programming abilities have grown, I am infuriated by not have access to the source code.


All times are GMT -5. The time now is 08:43 PM.