[42647] in North American Network Operators' Group
Re: Re[2]: Worm probes
daemon@ATHENA.MIT.EDU (Nick Thompson)
Tue Sep 18 16:11:29 2001
Date: Tue, 18 Sep 2001 13:47:57 -0500 (CDT)
From: Nick Thompson <nick@ipark.com>
To: David Ulevitch <davidu@everydns.net>
Cc: Joseph McDonald <joe@vpop.net>, nanog@merit.edu
In-Reply-To: <14610878382.20010918125452@everydns.net>
Message-ID: <Pine.BSF.4.21.0109181345530.59875-100000@thompson>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
Look into the Apache::CodeRed module. I'm sure that can be hacked up to
do what you need.
/nick
On Tue, 18 Sep 2001, David Ulevitch wrote:
>
> Hello Joseph,
>
> Tuesday, September 18, 2001, 11:51:43 AM, you wrote:
>
> JM> Yes. We are seeing it here bigtime. Does anyone have any apache hacks
> JM> to lessen the impact? One idea: Once a probe is sent, the prober's
> JM> IP# is stored in a hash (perhaps in shared memory or a mmap'd file
> JM> that all children can share) and new connections from that IP are no
> JM> longer accepted.
>
> Here's a possibility but I need help with one aspect:
>
> A) create a rule in your apache httpd.conf like this:
>
> <Location /scripts/root.exe>
> Deny from all
> ErrorDocument 404 http://www.everydns.net/blockip.php
> </Location>
>
> B) create blockip.php (or use perl or whatever[read: python])
> <?
> $iptables = '/usr/local/sbin/iptables';
> $ip = $REMOTE_ADDR;
> $blockline = $iptables." -A INPUT -s ".$ip." -p all -j DROP;";
> system($blockline);
> ?>
>
> C) the caveat here is that you need to give the webuser (nobody)
> access to iptables. This can be done in sudo like this:
> nobody ALL=NOBODY: /usr/local/sbin/iptables
>
> The MAJOR problem is that you have now given your entire web site
> access to iptables. If you have a machine which has no "users" then
> this may be okay for you however for most of us it is not. Do any of
> you have a way to call a perl script directly from the httpd.conf
> entry and perhaps pass the REMOTE_ADDR to it? I know there's a way
> and I'll look for it, but in the meantime -- any ideas?
>
>
> Thanks,
> David Ulevitch mailto:davidu@everydns.net
>
>
>
