Subject: Re: access_log?
From: Nathan A. McQuillen (nm@steaky.dhs.org)
Date: Fri Jan 25 2002 - 02:24:27 MST
It isn't httpd that does the blocking -- I figured anybody with an
infected host might have any number of virii poking around, so I just
went all the way and blocked them completely with ipchains.
I do it with a combination of a php script (saved as default.ida, one of
the loophole files both nimda and codered look for) which logs the IP of
any system that requests it and a shell script which runs hourly and just
runs through that list of logged virus hosts and adds a DENY rule to
ipchains for each of them. It takes about a second, and it works great.
And sure, maybe those folks won't be able to read my weblog if they're
blocked. Shucks. ;)
- n2
On Wed, 23 Jan 2002, Jon wrote:
> on 1/23/02 2:55 PM, Zeke Runyon at zrunyon@mac.com wrote:
>
> > To view your log without the IIS server requests:
> > cat /var/log/access_log | fgrep -v .exe | fgrep -v .ida | less
> >
> > Someone suggested blocking those IPs? How do you do this? In the Apache
> > server configuration somewhere?
> >
> > z
> > ##
> > # Zeke Runyon, zrunyon@mac.com
> > # web: communistsquirrel.home.dhs.org (formerly zekeworld)
> > # Mac OS X 10.1.2 5P48 | OS 9.2.1 | Yellow Dog Linux 2.1
> > # Communist squirrels shall rule the world.
> >
>
> The thing about blocking the IP is that it chages every request. I would
> end up blocking hundreds of IP's.
>
This archive was generated by hypermail 2a24 : Fri Jan 25 2002 - 02:39:04 MST