[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: bugtraq.c httpd apache ssl attack

Wichert Akkerman <wichert@wiggy.net> writes:

> Previously Phillip Hofmeister wrote:
>> I am using RedHat 7.3 with Apache 1.3.23. Someone used the 
>> program "bugtraq.c" to explore an modSSL buffer overflow to get access to 
>> a shell. The attack creates a file named "/tmp/.bugtraq.c" and compiles it 
>> using gcc.
> One wonders why you would have gcc installed on a webserver..

Quite so. Never used to happen in my day ;)

Another idea that might help lessen the impact of this silly mess:

    iptables -A OUTPUT -p udp --dport 53...... ACCEPT
    iptables -A OUTPUT -p udp --dport 123 ..... ACCEPT
    iptables -A OUTPUT -p udp -j outlog

    #The output logging rule
    iptables -A outlog -j LOG -m limit \
                       --limit 3 --limit-burst 5 \
                       --log-prefix "catch-all:(out)"
    iptables -A outlog -j DROP

i.e., allow useful UDP like 53 and 123 with whatever your normal accept
rules are, and then limit everything else and drop stuff that goes over-
limits, with a useful log message to say what's happened.



Reply to: