On Mon, 2002-01-28 at 21:29, Christophe Zwecker wrote: > thinkin of that Ive got a customer with IIS server which he cannot > change for apache, for some reason, I wonder which linux based tools > (the firewal runs on linux) there are to block nimda. Can a proxy acting > as a reverse proxy do it ? > > Anyone done this before ?
I use snort-iptables and it works great. Its very easy to setup, you just need the a recent kernel that supports queuing to userspace and a patched version of snort from -> http://w3.cablespeed.com/~rvmcmil/ If you use something to just drop matching packets this will keep sessions open on your webserver till they timeout, but with snort-iptables you can get it to drop the packet and reset the session on the webserver (and ties up the worm for a while as it keeps retrying).