On Thu, 2003-07-10 at 11:50, Peter van den Heuvel wrote:
I think a protection can only let pass established connection through your iptables firewall and drop all ports used by known trojans. The best is to drop all trojanconnections (INPUT-, FORWARD- and OUTPUT-CHAIN).
1) "To only let pass an established connection"? Please explain how you imagine connections getting established as at that stage they are NOT yet established and no trafic will pass.
with iptable you can look into the tcp-traffic using the mangle-option. By letting through only established ipconnections, you can filter out connections like that from scannern or connections that use a not related protocoll that is allowed on that port.
2) Code red is a worm and it's propagation does not relate to it also being a trojan.
Ok the security-risk is not so much. That is only a act of cling.
Code red in fact uses http over port 80. In fact a mighty security suggestion: block port 80 towards your web-server.
Block port 80 for some known adresses and mangle the connections on port 80 toward your webserver. Blocking all toward the webserver can cause that no webpages can be requested from outsite. I think. Regards, Ruprecht ----------------------------------------------- Ruprecht Helms IT-Service & Softwareentwicklung Tel./Fax +49[0]7621 16 99 16 Homepage: http://www.rheyn.de email: info@rheyn.de ------------------------------------------------