Mailer: SecurityFocus In-Reply-To: <004a01c15dce$a5a64cf0$[EMAIL PROTECTED]>
Or block the http gets at the router level similiar to... class-map match-any http-hacks match protocol http url "*default.ida*" match protocol http url "*x.ida*" match protocol http url "*.ida*" match protocol http url "*cmd.exe*" match protocol http url "*root.exe*" match protocol http url "*.eml*" >Received: (qmail 25558 invoked from network); 26 Oct 2001 21:44:01 -0000 >Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (66.38.151.27) > by mail.securityfocus.com with SMTP; 26 Oct 2001 21:44:01 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id A00BEA30F8; Fri, 26 Oct 2001 15:42:18 - 0600 (MDT) >Mailing-List: contact security-basics- [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >List-Id: <security-basics.list-id.securityfocus.com> >List-Post: <mailto:security- [EMAIL PROTECTED]> >List-Help: <mailto:security-basics- [EMAIL PROTECTED]> >List-Unsubscribe: <mailto:security-basics- [EMAIL PROTECTED]> >List-Subscribe: <mailto:security-basics- [EMAIL PROTECTED]> >Delivered-To: mailing list security- [EMAIL PROTECTED] >Delivered-To: moderator for security- [EMAIL PROTECTED] >Received: (qmail 32622 invoked from network); 26 Oct 2001 03:24:59 -0000 >Message-ID: <004a01c15dce$a5a64cf0 $[EMAIL PROTECTED]> >From: "Sata" <[EMAIL PROTECTED]> >To: "Christopher Low" <[EMAIL PROTECTED]>, > <[EMAIL PROTECTED]> >References: <[EMAIL PROTECTED]> <003201c15c37$a5a97f30 $[EMAIL PROTECTED]> >Subject: Re: What do I need to block class A addresses on win2k >Date: Fri, 26 Oct 2001 00:31:06 -0300 >MIME-Version: 1.0 >Content-Type: text/plain; > charset="iso-8859-1" >Content-Transfer-Encoding: 7bit >X-Priority: 3 >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook Express 6.00.2600.0000 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 > >I really dont understand the point on having the IPs blocked at the Web >Server Level and I specially dont believe that blocking a Class A net will >do you any good. > >If you are having constant "Code Red" or "Nimda" probes on your web boxes, >which is the case of everybody here, you should block the request at an IDS >Level or a Firewall Level or any other content filtering device placed at >the top level of your network. > >If you want to feel in control, dont go for the addresses, go for the >packets =) > >Sata > > >----- Original Message ----- >From: "Christopher Low" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, October 23, 2001 11:57 PM >Subject: What do I need to block class A addresses on win2k > > >> I'm running Omni httpd as my webserver and I'm constantly being attacked >by >> nimda/code red infected machines, the vast majority seems to be >originating >> from 210.* which I would simply love to ipsec away. >> >> ipsec seems to work for class C only. >> >> The webserver is personal/local and used as a debug site for a few >> developers so they will not be affected. >> >> What software do I need to get? >> >> Its omnihttpd 2.08, Win 2k pro. >> >> thanks >> > >
