Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] Entriy in apache log
(Sorry, wasn't able to reply earlier due to a nameserver being down)

Yes, that is very true. In fact, it wouldn't make sense at all to block
them, unless the 'attacker' (which is an automated script running on a
winblows box; the user doesn't even know it's there) is -really- attacking
you. He'll soon find out that you aren't running an IIS server and either
stop hacking or switch to 'Linux-mode', trying the Apache bugs. That should
take him at least 2 or 3 seconds, then he is done, since there are maybe 1
or 2 'bugs' in Apache. ;-)

I wrote this script to:

- Learn bash
- Learn ipchains
- Have an excuse to make another webpage
- Get those lame entries 'outta my accesslog'

A filter between Apache and the accesslog would do fine too. Just pipe the
log to a filter (using grep -v to show all line without the words you
specify) and have the output written to the access_log. The advantage would
be: no long listing of denied hosts, thus more speed, since ipchains has to
go through all those entries onlt to find out it can let the packet through.

Kind Regards,
Rogier Maas
----- Original Message -----
From: "Markus Gaugusch" <markus@xxxxxxxxxxx>
To: "Bob B" <n1uan@xxxxxxxxxxxxxxx>
Cc: "Rogier Maas" <icarus@xxxxxxxxxx>; <suse-security@xxxxxxxx>
Sent: Friday, December 21, 2001 12:03
Subject: Re: [suse-security] Entriy in apache log

> > ok let me ask this first can i just have ipchains on the box without
> > changing and routig etc that is set now as i wouldnt want to make an
> > major overhaul!
> This is no problem, but the whole thing (blocking nimda "attacks" to your
> linux box) is really useless, as many have non-static ip-adresses and you
> will soon have a huge blocking table, which results in poor performance.
> If you have really too much entries in your logs (filling up the disks),
> clean them with a script that removes all those entries or contact the
> provider of the infected hosts.
> Blocking of huge address ranges doesn't solve any problems.
> Markus Gaugusch
> --
> _____________________________ /"\
> Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign
> markus@xxxxxxxxxxx X Against HTML Mail
> / \
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx

< Previous Next >