Nimda and Iptables
Wed, 3 Oct 2001 02:02:16 +0200
This is far from the netfilter topic, but if it can help....
Here is a way to stop logging Nimda attacks on Apache.
Modify/add in httpd.conf
- for access log - don't log any request attempts made by nimda :
SetEnvIf Request_URI \cmd.exe|\root.exe nimda
Customlog /../../access_log common env=!nimda
- for error log - don't log and don't send any 404 error page to nimda :
RedirectMatch (.*)\root.exe$ http://NimdaIsNotForMe.invalid$1
RedirectMatch (.*)\cmd.exe$ http://NimdaIsNotForMe.invalid$1
Unfortunately i can't use
iptables -A INPUT -i eth0 -j filt_match -d $EXTERNAL -m string --string "cmd.exe" -p tcp --dport 80
it makes an error :( (it is not implemented in iptables v1.2.1 ?)
Is it a good way ? With this rule can I read a web page that talk about nimda ?
I don't think so...
----- Original Message -----
From: "Trevor Morrison" <firstname.lastname@example.org>
To: "netfilter" <email@example.com>
Sent: Tuesday, October 02, 2001 8:02 PM
Subject: Nimda and Iptables
> This is the first time I have posed a question to the list though I have
> been reading it on a regular basis and whence my question. I am running
> a 2.4.9 kernel with 1.2.3 Iptables. I have noticed there have been
> discussions concerning blocking the Nimda virus, but did not read about
> a definite way to do it. Is there a way using Iptables to block(DROP)
> the virus? It is rapidly filling up my logs and becoming a pain.
> Thanks in advance.