[TCLUG] Apache error logs

Fri Nov 9 21:39:19 CST 2001

Dan Drake <drake+tclug at lemongecko.org> wrote:
> 
> On Fri, Nov 09, 2001 at 02:06PM -0600, Hvidsten, Leif wrote:
> > **Note to self: Must memorize IP.  Must memorize IP. 
> 
> 65.25.220.6
> 
> I have *my* IP memorized; what's taking you so long? :)
> 
> So why did my message take 11 days to get posted? Is this more mail
> server goofiness? That's okay...it was just odd to see a post from
> myself when I didn't remember sending anything!
> 
> I'll probably take down that firewall rule that drops anything from the
> 65.0.0.0/8. I know I'm not vulnerable to Code Red, Nimda, or whatever,
> but it's still annoying. 
> 
> I don't run a commercial site, so I like to look through my logs to see
> if any of my friends got terminally bored and looked around at what's
> there.

Well, if you feel the need to do _something_, try looking up some tarpit
programs that catch nimda bugs and force them to timeout on connections to
your machine.  These programs slow down the bugs a little bit (not much,
but maybe enough to make you feel better..)

I just got this in my work e-mail today:

# Flag requests for URIs containing known strings from
# Nimda-like worms (including Code Red, sadmind/IIS)
# Note that the patterns below are regexes; escape your dots!

SetEnvIf Request_URI "/winnt/system32/cmd\.exe" nimda
SetEnvIf Request_URI "/scripts/root\.exe" nimda
SetEnvIf Request_URI "/MSADC/root\.exe" nimda
SetEnvIf Request_URI "/\.\." nimda
SetEnvIf Request_URI "\.\./" nimda

# Block attackers who send the patterns above (and get a 400 or 404
# response) via the routing table. It's more efficient to firewall (the
# command will vary depending upon the firewall in use) or use SSH to add
# rules to an upstream firewall to block the attacker. If several commands
# must be executed, it may be best to invoke a script rather than doing
# all the work from within httpd.conf.

CustomLog "|exec sh" "route -nq add -host %a 127.0.0.1 -blackhole"
env=nimda

Note that for the last bit there, `env=nimda' should be at the end of the
CustomLog line..  My mail client still has annoying word-wrapping habits..

Also, some better CustomLog lines might be:

(For Linux kernel 2.2.x or 2.4.x with IP Chains)
CustomLog "|exec sh" "/sbin/ipchains -I input -s %a -j DENY"

(For Linux kernel 2.4.x)
CustomLog "|exec sh" "/sbin/iptables -I INPUT -s %a -j DROP"

-- 
 _  _  _  _ _  ___    _ _  _  ___ _ _  __   It's a Tough Job! So I'd
/ \/ \(_)| ' // ._\  / - \(_)/ ./| ' /(__   Rather YOU do it.
\_||_/|_||_|_\\___/  \_-_/|_|\__\|_|_\ __)  
[ Mike Hicks | http://umn.edu/~hick0088/ | mailto:hick0088 at tc.umn.edu ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20011109/561b5478/attachment.pgp