[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] NIMDA Attacks - Anyway to deny requests?

Subject: [cobalt-users] NIMDA Attacks - Anyway to deny requests?
From: Scott F <scott_falco@xxxxxxxxx>
Date: Sat Sep 22 16:10:21 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>Question,  how did you configure your machines 
>to block the infected ip addresses ?
>
>I would appreciate an example as I do not know 
>how to do it.

Well I run a FreeBSD firebox in front of my other
systems, along (for overkill) firewalls on each box
itself.. The firewalls run a separate file
(rc.firewall.blocked) which allows me to drop in IP's
from problem children. I used that nimda script (great
idea btw) found here on the list to collect offending
IP's (so much easier than playing with grep), then
simply dropped those IP's into my rc.firewall.blocked
file and restarted the firewall(s). After the first
day or two, a noticeable difference was more than
apparent. Now I'm down to around 20 or so per day, and
maybe 475 offenders in the blocked category. If you
don't have a firewall installed, I posted a snip on
the security list 2-3 months ago that can be used to
setup your own rc.firewall.blocked file (without a
firewall in place).. So I'll just copy that code here
for the taking if you're interested.

Good Luck!
Scott

Just install the script under /etc/rc.d as any name
you like, then chmod the script to 700. Then make sure
you have a rc.firewall.blocked file under the same
/etc/rc.d directory, which is where you'll drop in
your ghoul IP ranges (watch line wraps in the script).

#!/bin/sh
# Network Ghouls

    # Deny access to jerks
    # --------------------
    # /etc/rc.d/rc.firewall.blocked contains a list of
    # ipchains -A input -s address -j DENY
    # rules to block from any access.

    # Refuse any connection from problem sites
    if [ -f /etc/rc.d/rc.firewall.blocked ]; then
    deny_file="/etc/rc.d/rc.firewall.blocked"
    temp_file="/tmp/temp.ip.addresses"
    cat $deny_file | sed -n -e "s/^[
]*\([0-9.]*\).*$/\1/p" \
    | awk ' $1 ' > $temp_file
    while read ip_addy
    do
      case $ip_addy in
        *) ipchains -A input -s $ip_addy -j DENY
           ipchains -A input -d $ip_addy -j DENY
           ipchains -A output -s $ip_addy -j REJECT
           ipchains -A output -d $ip_addy -j REJECT
        ;;
     esac
    done < $temp_file
    rm -f $temp_file > /dev/null 2>&1
    unset temp_file
    unset deny_file
    fi

In the rc.firewall.blocked file, you can even go for
the broader scope and block out the entire IP range if
they're a real pain in the ass -like this:

203.232.240.0/24 (sorry Korea -uhhh not really)

That's all you need to drop into the
rc.firewall.blocked file. No need to enter the other
stuff (/sbin/ipchains -I input -s 203.232.240.215 -j
DENY -l) as that's what the script does for
you.. Just start the ghoul script as
./what-ever-you-name-it from the /etc/rc.d/ directory,
then the ghoul script will protect your machine in
both
directions (in/out) from the IP (or ranges) found in
the rc.firewall.blocked file.  :-)

Cheers!


__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com

Prev by Date: Re: [cobalt-users] Qube2 potential hard drive specifications
Next by Date: [cobalt-users] pmfirewall (was worm attack)
Previous by thread: Re: [cobalt-users] NIMDA Attacks - Anyway to deny requests?
Next by thread: RE: [cobalt-users] how safe is it to connect a RaQ both on the in ternet and on the LAN?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index