Can you do the same with ipchains and SuSEfirewall1? If so, would you have an example? Thanks in advance. Alex ----- Original Message ----- From: "Mathias Homann" <admin@eregion.de> Newsgroups: eregion.lists.suse.security To: <suse-security@suse.com> Sent: Sunday, October 21, 2001 10:45 AM Subject: [suse-security] how to keep nimda and code red from filling apache logs
Hi all,
here's a bit of a step-by-step description on how to keep nimda and codered from filling your apache logs.
Parts used:
- SuSE 7.2 Professional - SuSEfirewall2 - iptables 1.2.3 - linux kernel 2.4.13-pre5
steps:
1. install kernel sources for a kernel >> 2.4.9, running 2.4.13- pre5 here, works fine so far
2. get the sources for iptables 1.2.3 from http://netfilter.samba.org
3. unpack sources somewhere
4. export KERNEL_DIR=$(where you put the kernel tree)
5. cd into unpacked iptables sources, there's a subdirectory named patch-o-matic there
6. apply wanted patches by running ./runme $(name.of.patch)patch for this here You'll want the string patch You can also apply other patches, like the irc-conntrack patch
7. now there's a little bug in this patch... here's a diff: --- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21 00:16:29 2001 +++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21 16:54:45 2001 @@ -62,7 +62,7 @@
sk = skip[haystack[right_end - i]]; sh = shift[i]; - right_end = max(int, right_end - i + sk, right_end + sh); + right_end = max(right_end - i + sk, right_end + sh); }
return NULL;
8. now, make config/menuconfig/xconfig... as usual. You can import your running kernel's config first.
9. enable the experimental stuff
10. go to networking options->netfilter, there's an option there to enable string matching; set that to M
11. compile and install kernel as usual; remember to uncomment the export INSTALL_PATH=/boot in the main makefile.
12. now build a rpm file for the new iptables stuff by installing the source rpm which comes with suse, then edit the spec file, put the iptables source in /usr/src/packages/SOURCE and rebuild.
13. now there are some small changes to the firewall config files. a) uncomment the last line in /etc/rc.config.d/firewall2.rc.config: FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
b) edit that file, I got the following stuff in mine:
for forbidden_string in root.exe cmd.exe .ida; do iptables -I input_ext -p tcp --dport http -m string \ --string $forbidden_string -m state \ --state ESTABLISHED -j REJECT --reject-with tcp-reset done
put that in the last supfunction defined in the custom rc file.
c) change the FW_LOG setting in firewall2.rc.config from reading -log-level warning to -log-level kernel.warning
14. last: some small changes to /sbin/SuSEfirewall2 search in the script for the parts where the modules are loaded and unloaded; be sure to add ipt_string (and the other new modules you created by patching the kernel and enabling them in make config) to the modules loading/unloading code there.
15. reboot
16. if you try now to access (from outside, of course) one of the nimda or codered URLS, all you get is a 'connection reset by peer', and the request doesn't show in apache log files.
btw, no guarantees, and the usual YMMV :)
bye [L]
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com