North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Re[2]: Worm probes
Hi David Why not use Labrea (developed originally to tarpit CodeRed) ? <http://www.hackbusters.net/LaBrea/> - Rafi On Tue, 18 Sep 2001, David Ulevitch wrote: > > Hello Joseph, > > Tuesday, September 18, 2001, 11:51:43 AM, you wrote: > > JM> Yes. We are seeing it here bigtime. Does anyone have any apache hacks > JM> to lessen the impact? One idea: Once a probe is sent, the prober's > JM> IP# is stored in a hash (perhaps in shared memory or a mmap'd file > JM> that all children can share) and new connections from that IP are no > JM> longer accepted. > > Here's a possibility but I need help with one aspect: > > A) create a rule in your apache httpd.conf like this: > > <Location /scripts/root.exe> > Deny from all > ErrorDocument 404 http://www.everydns.net/blockip.php > </Location> > > B) create blockip.php (or use perl or whatever[read: python]) > <? > $iptables = '/usr/local/sbin/iptables'; > $ip = $REMOTE_ADDR; > $blockline = $iptables." -A INPUT -s ".$ip." -p all -j DROP;"; > system($blockline); > ?> > > C) the caveat here is that you need to give the webuser (nobody) > access to iptables. This can be done in sudo like this: > nobody ALL=NOBODY: /usr/local/sbin/iptables > > The MAJOR problem is that you have now given your entire web site > access to iptables. If you have a machine which has no "users" then > this may be okay for you however for most of us it is not. Do any of > you have a way to call a perl script directly from the httpd.conf > entry and perhaps pass the REMOTE_ADDR to it? I know there's a way > and I'll look for it, but in the meantime -- any ideas? > > > Thanks, > David Ulevitch mailto:[email protected] > > >
|