On Sun, Nov 24, 2002 at 10:54:32AM +0100, ezra daniel wrote: > Everyday in my site many IP's point to my httpd server NIMDA > attacking it... I would like to block or DROP this packages > but they go to port 80 which of course I cant block totally. > > Anyone knows if there is a special rule or chain to block this? As Chaka Khan once said, "I feel for you". I'm getting sick of seeing these probes too. Right now I'm keeping track of them, but not blocking. I use a PHP blurb from http://zerodeux.net/projects/wormstat/ to log and display them for the time being. Someone mentioned the Apache::CodeRed module as a way to block them. Another one you may be interested in is "mod_antihak", available at http://apantihak.sourceforge.net/ and Freshmeat. This module not only blocks Code Red, Nimda, and IIS/sadmind, it can also optionally keep a MySQL database of the attempts, if you like seeing that stuff. FYI: Nimda worms only scan their own subnet, IIRC. For example, if I'm 68.61.1.1, I'll see these coming from 68.61.x.x machines, and no other address space (of course, variants may not exhibit this same restriction). For particularly troublesome boxen, I just drop all their traffic via the IP. HTH, Jeff Bonner
Attachment:
pgpYUkUGbR_1N.pgp
Description: PGP signature