nanog mailing list archives
Re: Re[2]: Worm probes
From: Rafi Sadowsky <rafi-nanog () meron openu ac il>
Date: Tue, 18 Sep 2001 22:33:35 +0300 (IDT)
Hi David Why not use Labrea (developed originally to tarpit CodeRed) ? <http://www.hackbusters.net/LaBrea/> - Rafi On Tue, 18 Sep 2001, David Ulevitch wrote:
Hello Joseph, Tuesday, September 18, 2001, 11:51:43 AM, you wrote: JM> Yes. We are seeing it here bigtime. Does anyone have any apache hacks JM> to lessen the impact? One idea: Once a probe is sent, the prober's JM> IP# is stored in a hash (perhaps in shared memory or a mmap'd file JM> that all children can share) and new connections from that IP are no JM> longer accepted. Here's a possibility but I need help with one aspect: A) create a rule in your apache httpd.conf like this: <Location /scripts/root.exe> Deny from all ErrorDocument 404 http://www.everydns.net/blockip.php </Location> B) create blockip.php (or use perl or whatever[read: python]) <? $iptables = '/usr/local/sbin/iptables'; $ip = $REMOTE_ADDR; $blockline = $iptables." -A INPUT -s ".$ip." -p all -j DROP;"; system($blockline); ?> C) the caveat here is that you need to give the webuser (nobody) access to iptables. This can be done in sudo like this: nobody ALL=NOBODY: /usr/local/sbin/iptables The MAJOR problem is that you have now given your entire web site access to iptables. If you have a machine which has no "users" then this may be okay for you however for most of us it is not. Do any of you have a way to call a perl script directly from the httpd.conf entry and perhaps pass the REMOTE_ADDR to it? I know there's a way and I'll look for it, but in the meantime -- any ideas? Thanks, David Ulevitch mailto:davidu () everydns net
Current thread:
- Re: Worm probes, (continued)
- Re: Worm probes Daniel Senie (Sep 18)
- Re: Worm probes Hermann Wecke (Sep 18)
- Re: Worm probes Joseph McDonald (Sep 18)
- Re: Worm probes Daniel Senie (Sep 18)
- Re: Worm probes Iljitsch van Beijnum (Sep 18)
- Re: Worm probes M. David Leonard (Sep 19)
- Re: Worm probes Brett Frankenberger (Sep 19)
- Re: Worm probes z (Sep 18)
- Re[2]: Worm probes David Ulevitch (Sep 18)
- Re: Re[2]: Worm probes Nick Thompson (Sep 18)
- Re: Re[2]: Worm probes Rafi Sadowsky (Sep 18)
- Re: Worm probes Jeff Gehlbach (Sep 18)
- RE: Worm probes Don Lundquist (Sep 18)
- RE: Worm probes Smith, Rick (Sep 18)
- Re: Worm probes Ulf Zimmermann (Sep 18)
- Re: Worm probes Jared Mauch (Sep 18)
- Re: Worm probes sigma (Sep 18)
- Re: Worm probes Ulf Zimmermann (Sep 18)
- Re: FW: Worm probes Rob Evans (Sep 18)
- Re: FW: Worm probes Jim Olsen (Sep 18)