here's a bit of a step-by-step description on how to keep nimda
and codered from filling your apache logs.
- SuSE 7.2 Professional
- iptables 1.2.3
- linux kernel 2.4.13-pre5
1. install kernel sources for a kernel >> 2.4.9, running 2.4.13-
pre5 here, works fine so far
2. get the sources for iptables 1.2.3 from
3. unpack sources somewhere
4. export KERNEL_DIR=$(where you put the kernel tree)
5. cd into unpacked iptables sources, there's a subdirectory
named patch-o-matic there
6. apply wanted patches by running ./runme $(name.of.patch)patch
for this here You'll want the string patch
You can also apply other patches, like the irc-conntrack patch
7. now there's a little bug in this patch...
here's a diff:
--- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21
+++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21
@@ -62,7 +62,7 @@
sk = skip[haystack[right_end - i]];
sh = shift[i];
- right_end = max(int, right_end - i + sk,
right_end + sh);
+ right_end = max(right_end - i + sk, right_end +
8. now, make config/menuconfig/xconfig... as usual. You can
import your running kernel's config first.
9. enable the experimental stuff
10. go to networking options->netfilter, there's an option there
to enable string matching; set that to M
11. compile and install kernel as usual; remember to uncomment
the export INSTALL_PATH=/boot in the main makefile.
12. now build a rpm file for the new iptables stuff by installing
the source rpm which comes with suse, then edit the spec file,
put the iptables source in /usr/src/packages/SOURCE and rebuild.
13. now there are some small changes to the firewall config
a) uncomment the last line in
b) edit that file, I got the following stuff in mine:
for forbidden_string in root.exe cmd.exe .ida; do
iptables -I input_ext -p tcp --dport http -m string \
--string $forbidden_string -m state \
--state ESTABLISHED -j REJECT --reject-with tcp-reset
put that in the last supfunction defined in the custom rc file.
c) change the FW_LOG setting in firewall2.rc.config from reading
-log-level warning to -log-level kernel.warning
14. last: some small changes to /sbin/SuSEfirewall2
search in the script for the parts where the modules are loaded
and unloaded; be sure to add ipt_string (and the other new
modules you created by patching the kernel and enabling them in
make config) to the modules loading/unloading code there.
16. if you try now to access (from outside, of course) one of the
nimda or codered URLS, all you get is a 'connection reset by
peer', and the request doesn't show in apache log files.
btw, no guarantees, and the usual YMMV :)
after installing the latest kernel update for the ptrace security issue on
a SuSE 8.0 system, the new kernels panics while booting with the message
"VFS: unable to mount root fs". My possibilities to analyze this problem
are very limited since the system in question is an important 24x7
production system to which I only have remote access and when the system
fails to boot this can only be fixed with the help of a local engineer.
This is why I'm asking this list if anyone has experienced this problem
before and possibly even has a solution for it. As a note, the new kernel
works fine on two SuSE 7.1 systems.
Some information on the system:
SuSE SMP Kernel 2.4.18-64GB-SMP for 2 P-III CPUs,
1 GB RAM,
2 SCSI drives with Adaptec SCSI controller.
Root-Filesystem is ext3
INITRD_MODULES="aic7xxx usbcore jbd ext3"
mk_initrd und lilo after installation of the new kernel ran without any
After re-installing the old SuSE 2.4.18 Kernel with the security leak the
systems boots up fine again.
Thanks in advance
I'm not sure if it is the reason but the probability is high:
After the security update of the linux kernel,
in my case from k_deflt-2.4.18-57 to k_deflt-2.4.18-261,
I have two frozen systems.
In the first case we are running a program that starts some stored procedures
in a Informix Database (IDS 9.30.UC1). After a few minutes there are no
more actions possible on that server. You can't find any message in
/var/log/messages or online.log. Even recursively started commands
like ps or onstat -g ses sid -r 1>protfile does not generate any output.
In the second case the similar happened during daily cronjob which builds
and loads a database of ca. 8 GB size.
My question: Has anybody else problems with these kernel updates
related to Informix Dynamic Server.
the latest kernel updates are bad, not only my SuSE 8.1 with the latest update
crashes when starting X11 with nvidia drivers, but my 8.0 firewall can't do
frees/wan anymore because /lib/modules/`uname -r`/kernel/net/ipv4/ipsec.o is
missing, and the sources from km_freeswan don't compile...
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1
UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede
kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren
Weitergabe an Dritte ist ausdrücklich untersagt!
gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
I have just finished setting up a 6to4 tunnel to start using IPv6. But I am
trying to find a decent ip6tables tutorial/howto/sample firewalls...... But
I am not having very much luck. Does anyone know of any good web sites for
Thanks in advance.
I use suse 7.3
Internal network connect to internet by setting port
3128 in IE but when i set in squid.conf for
authenticate_program that get windows login for users,
IE don't get any windows and Internal network
(clients) connect to internet normally without login
I set these options in squid.conf:
acl password proxy_auth payam
acl users src 192.168.1.0/255.255.252.0
http_access allow users
http_access allow password
Is here any problem with this configuration that IE
can't get windows login when want to browsing?
Thanks for your help,
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
-----BEGIN PGP SIGNED MESSAGE-----
a customer of mine is using suse 7.3 and iptables v1.2.2.
The iptables command are called direct, not with SuSEfirewall.
Normally I use shorewall, I am not a specialist for iptables commands, I did
not write the commands, but have to support them now.
The server is an internet-webserver. Because of some attacs the firewall is
important. There are a postfix E-Mail-Server and there are Websites on the
Server. Accessing in no problem from the internet.
BUT: from the intranet we cannot call the websites and load the E-Mails from
the server. I think, it is not a DNS problem, but a firewall problem.
With "iptables -t nat -L" I get (names changed for public) for PREROUTING -
DNAT tcp -- anywhere linus.localnet.de tcp dpt:http
DNAT tcp -- anywhere linus.localnet.de tcp dpt:domain
DNAT udp -- anywhere linus.localnet.de udp dpt:domain
DNAT tcp -- anywhere linus.localnet.de tcp dpt:smtp
DNAT tcp -- anywhere linus.localnet.de tcp dpt:pop3
DNAT tcp -- 172.21.85.0/24 linus.localnet.de tcp dpt:http
DNAT udp -- 172.21.85.0/24 linus.localnet.de udp dpt:http
DNAT tcp -- anywhere linus.localnet.de tcp dpt:smakynet
((I did not now, what "smakynet" is)).
The INPUT-Chain shows (here a part of all):
ACCEPT tcp -- 172.21.85.0/24 linuso.localnet.de tcp dpt:http
ACCEPT tcp -- 172.21.85.0/24 linus.localnet.de tcp dpt:http
ACCEPT tcp -- 172.21.85.0/24 anywhere tcp dpt:http
THe OUTPUT-Chain shows (a part too):
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Under the POSTROUTING I get:
MASQUERADE all -- 172.21.85.0/24 anywhere
Which iptables command is nessacary for getting access from the intranet
(172.21.85.0) to the webserver (172.21.85.11)?
Many thanks in advance.
Mobile Voice Solutions
Prießstr. 16, 23558 Lübeck
Tel: 0451/479 56 60
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----
I just want to ask if there is anybody out there feeling responsible for
of moderation here. The point is that I have asked one of the subscribers
sending all messages to the list with high-priority-flag to change this
instead of a reply, I still get these annoying "alerts". I do not know if
something like a moderation here, and maybe I am the only person who doesn't
like to get all these mails marked as "urgent" here. For me, on a security
only urgent mails (e.g. newly found exploits etc) are to be marked like
I would really like to know how you see this and how to keep this list a
ressource of information and discussion. I really don't want to set
on my filters just because of technical issues.
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
On Mon, Mar 31, 2003 at 05:43:02PM +0200, tobiwan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hi Robert and List,
> one question again. In the case not having done a backup and want to ga back
> to the unpatched kernel, is it sufficient to uninstall the patch via RPM and
> do the mk_initrd && lilo? Just to be sure...
No, you must reinstall the old one, i.e. fetch the RPM of the old one
from the distribution CDs or whereever your old kernel was from and do
# rpm -Uvh --oldpackage oldkernel.rpm
Robert Schiele Tel.: +49-621-181-2517