> On Monday 01 September 2003 07:03 am, Maciej Soltysiak wrote: > > Hi, > > > > > ask where this FAQ entry is... > > > > http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.14 > > > > Kay... Though as my friend asked, what IS it good for? examples? > > > > second, I've been using ipkungfu to attempt to stop codered, nimda, > > > etc from hitting my apache server and clogging up my logs. > > > It's not working, the rules never trigger. I've played around with it > > > to no avail. > > > > I do not know how ipkungfu works, i'd have to check it out to see if it > > can works and if it is a valid and clean solution. > > > http://www.linuxkungfu.org/ > > > > I guess, if this doesn't work, and isn't supposed to work, what > > > SHOULD I do? > > > > Patch your affected servers, use unaffected software and > > inform the netadmins of infected hosts about virii. > > fwiw, i don't use IIS, so I don't really get infected by it, but all > the same I get it clogging up my logs... which is what i'm really > trying to take care of here... no more crap in my logs. > > > > > Regards, > > Maciej > -- > tabris > - > Life only demands from you the strength you possess. > Only one feat is possible -- not to have run away. > -- Dag Hammarskjold > > This is not a netfilter solution, but it does the trick for our servers. If your server is mod perl enhanced then use this statement in your httpd.conf file # trap exploits of nimda & code-red compromised systems. # version 1.06 9-20-01 michael@xxxxxxxxxxxxxx <perl> { package Apache::VirusLogZapper; use Apache::Constants qw(:common :response); my $ERRORLOG = 0; sub handler { my $r = shift; if ($ERRORLOG) { $r->uri =~ /(cmd\.exe|root\.exe|default\.ida)/; $r->log_error(__PACKAGE__, ' ', $r->get_remote_host, ' ' ,$1); } $r->push_handlers(PerlLogHandler => sub {return DONE}); return DONE; } } </perl> Michael@xxxxxxxxxxxxxxxxxxx
