http://apantihak.sourceforge.net/
Yes, there is a way to stop all nimda related scans / probes.
This is a module for apache that in it's current form uses ipchains. It works
by checking the requested URL for several strings and writting an ipchains
rule that stops any further connections.
To get it to work for iptables is a very simple process.
In src/mod_antihak/mod_antihak.c change
1. #define IPCHAINS_PATH "/sbin/ipchains"
to
#define IPCHAINS_PATH "/sbin/iptables"
2. const char *str_fmt = "%s %s -A input -s %s -d %s 80 -p tcp -j REJECT";
to
const char *str_fmt = "%s %s -I INPUT -p tcp --dport 80 -s %s -d %s -j DROP
for static IP's or
const char *str_fmt = "%s %s -I INPUT -p tcp --dport 80 -s %s -j DROP
for dynamically assigned IP's
Follow the install instructions and once apache is restarted the ipchains /
iptables rules are dynamically added to your existing firewall.
Perhaps Tom at informetech can tidy up the iptables support as I'm no real
programmer, just a hacker. If we ask him really nicely, he may even put
together an rpm for Mandrake?
On Mon, 7 Jan 2002 12:52, Dave wrote:
> I keep getting hit by a site which is probably infected with the Namda worm
> or one of those others. I keep seeing connections in my httpd access_log
> file, and judging from the requests, it seems to be probing for another
> vunerable NT server to attack. I'd like to be able to just slam the door
> in that particular IP address' face if possible. Is there anything in a
> config file somewhere that can be used to tell Apache to just reject all
> connections from a given address? Since it's not going through xinetd, the
> hosts.allow file doesn't come in to play... :-)
>
> --Dave
--
CYA,
Muzza.
Mandrake Linux 8.1
Kernel version 2.4.8-34.1mdk
Current Linux uptime: 25 days 23 hours 16 minutes.
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
