Hello, many of you, like myself are probably just about sick of all the noise that has been happening in our logs lately, making routine audits take alot longer then they should, filling harddisks rather quickly, and just being a big annoyance.
Anyway, I currently am running the 2.2.x series of the the Linux kernel, which prevents me from running IPTables and filtering these requests with the string option (Oh I want it bad :P), what is preventing me from upgrading to the Linux 2.4 series with IPTables is the lack of kernel patches for security, like the openwall kernel patches. They make my life alot easier, and keep users happy at the same time! I am only aware of 1 patch that exists for the 2.4 series, and that is one by the name of grsecurity. Has anyone had any experience with grsecurity? Any feedback? positive/negative? I would really like to stick with openwall, but they said there would be no support for the 2.4 series until 2.4.10, that is here now and I just checked their site and it says there will be no support for the 2.4 series until at least 2.4.15. So I'm not sure on the status of their patches. Anyhow my main reason for writing this is to ask you what methods have you deployed to keep your logs from getting filled with garbage like Nimda, I am logging 16 hits per host, at a nasty rate causing Apache and my IDS to go nuts. At one point I just shut the webserver off, it doesn't have anything of much importance on it, but it does serve as a reference/journal for me, which I think is rather important. Before you say just block port 80 from the world, and allow specific hosts access, this is not possible as there is some outside people who frequent the site from various mobile locations... it would be very hard to get all their IP addresses (most of which are dynamic) and allow just that traffic. Plus a new visitor is always good ;) Some of the methods I have considered/deployed are routing all offeding traffic to 127.0.0.1, this is done by taking the IP addresses from the apache/IDS logs then adding them to the routing table with 127.0.0.1 as the gateway - at first this was very effective, when Nimda was in it's prime, there was literally tonnes of repeat offenders, now it is just unique hosts for the most part. I have also considered deploying the squid proxy to block out offeding requests before they hit the webserver. That would cut alot of the noise in the Apache logs - at least. And of course I've debated on upgrading to 2.4, but haven't due to reasons stated above. Thanks - Vince
