On Fri, 14 Mar 2003 18:42:57 -0800 Dave Laird <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Good evening, Pierre... > > On Friday 14 March 2003 06:04 pm, Pierre Fortin wrote: > > > Got a pointer to the "strings' stuff...? I'm running 8.2 on my main > > server (9.0 issues)... > > http://articles.linuxguru.net/view/125 > > It would seem, based upon my reading the page, that most of us will have > to patch our kernels before this will work, so being somewhat idle, I > promptly downloaded the patch and applied it to the RedHat kernel > running on one of my "spare" boxes, rebooted and tested it. Heck, it > works. However, I should say that it slowed things down quite a bit, > running only 64M of memory. I don't have anything scientific to prove > that, just the observation. However, within five minutes, it did capture > and DROP a set of packets. I was impressed. It's interesting; but as you've already noticed, a heavy drag on the performance... not to mention that fewer people would help in the war on M$ Crud using this method -- not able or willing to recompile the kernel... while the apache logs do get entries, I see this as the lesser of the evils and still think pursuing this at the user vs kernel level is better IMO... if an attacker is Nimda/CodeRed, somehow, I doubt it's owner would be simultaneously accessing my website for licit reasons... so blocking the entire address has the least impact on the performance of my system, which also won't slow down the system for other visitors. > > What have you tried in this matter? Feel free to take this thread > > offline-- we can summarize back... > > There it is. I'm going to experiment some more with this with a box and > see if there are any additional drawbacks to using an iptables filter to > trap Code Red. Then I'll summarize back here what I find. I'm still > somewhat surprised how easily it all flew together, and it works! 8-) I may have a look at the code; but rather than "strings", I would think quick-exit protocol-diving would be a better approach... but that's just me... > Dave
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
