----- Original Message ----- From: "Todd Slater" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, September 21, 2002 1:12 AM Subject: Re: [newbie] giving up the ship?
> On Fri, 20 Sep 2002 21:43:48 -0700 (PDT) > Ibly Piblo <[EMAIL PROTECTED]> wrote: > > > How do you block Nimda attacks from your logs? > > > > Really, now, there must be a way, > > I have tried script after script, > > I am still getting attacked by this IP: > > > > 65.192.141.115 > > Use iptables. > > iptables -A INPUT -s 65.192.141.115 -j DROP > > <snip> > > Isnt there something easier, a script I can > > just download and install? > > I use one that was posted on this list a while ago. > > > I'm going to aggressively fight back, > > if there is a script that I can put in my > > /bin directory that will scan my /var/tmp/blocked > > file and instead of just ipchain-ing them out, > > (INEFFECTIVE!) it will shut them down, > > it is the only way. > > I believe Civileme posted a link to a page on PLF that contained such a > script. Check the archives. It is annoying. I've been hit by 81 infected > computers in a little over 2 weeks. > > If you drop them, they should not be showing up in your http logs. > iptables gets flushed everytime you restart--could that be it? I run this > if I have to restart: > > #!/bin/bash > for idiot in `cat /var/tmp/blocked` > do > iptables -A INPUT -s $idiot -j DROP > done > exit > > HTH, > Todd Another option is to put the offending IP address in your apache commonhttpd.conf: Order allow,deny Allow from all Deny from 65.192.141.115 You can list as many as you want Then restart Apache Once a week I go thru my logs and add the newest worst offenders, and remove those that are over 2 months old. Roy Murray www.ServiceTechHelp.com www.roymurray.net Linux Registered User 243148
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com