Worm probes

• Previous message (by thread): Worm probes
• Next message (by thread): Worm probes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Joseph,

Tuesday, September 18, 2001, 11:51:43 AM, you wrote:

JM> Yes. We are seeing it here bigtime.  Does anyone have any apache hacks
JM> to lessen the impact?  One idea:  Once a probe is sent, the prober's
JM> IP# is stored in a hash (perhaps in shared memory or a mmap'd file
JM> that all children can share) and new connections from that IP are no
JM> longer accepted.

Here's a possibility but I need help with one aspect:

A) create a rule in your apache httpd.conf like this:

<Location /scripts/root.exe>
    Deny from all
    ErrorDocument 404 http://www.everydns.net/blockip.php
</Location>

B) create blockip.php (or use perl or whatever[read: python])
<?
$iptables = '/usr/local/sbin/iptables';
$ip = $REMOTE_ADDR;
$blockline = $iptables." -A INPUT -s ".$ip." -p all -j DROP;";
system($blockline);
?>

C) the caveat here is that you need to give the webuser (nobody)
access to iptables.  This can be done in sudo like this:
nobody    ALL=NOBODY: /usr/local/sbin/iptables

The MAJOR problem is that you have now given your entire web site
access to iptables.  If you have a machine which has no "users" then
this may be okay for you however for most of us it is not.  Do any of
you have a way to call a perl script directly from the httpd.conf
entry and perhaps pass the REMOTE_ADDR to it?  I know there's a way
and I'll look for it, but in the meantime -- any ideas?


Thanks,
 David Ulevitch                            mailto:davidu at everydns.net

• Previous message (by thread): Worm probes
• Next message (by thread): Worm probes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]