Re: Fwd: bugtraq.c httpd apache ssl attack
Wichert Akkerman <wichert@wiggy.net> writes:
> Previously Phillip Hofmeister wrote:
>> I am using RedHat 7.3 with Apache 1.3.23. Someone used the
>> program "bugtraq.c" to explore an modSSL buffer overflow to get access to
>> a shell. The attack creates a file named "/tmp/.bugtraq.c" and compiles it
>> using gcc.
>
> One wonders why you would have gcc installed on a webserver..
Quite so. Never used to happen in my day ;)
Another idea that might help lessen the impact of this silly mess:
iptables -A OUTPUT -p udp --dport 53...... ACCEPT
iptables -A OUTPUT -p udp --dport 123 ..... ACCEPT
iptables -A OUTPUT -p udp -j outlog
#The output logging rule
iptables -A outlog -j LOG -m limit \
--limit 3 --limit-burst 5 \
--log-prefix "catch-all:(out)"
iptables -A outlog -j DROP
i.e., allow useful UDP like 53 and 123 with whatever your normal accept
rules are, and then limit everything else and drop stuff that goes over-
limits, with a useful log message to say what's happened.
$0.02,
~Tim
--
<http://spodzone.org.uk/>
Reply to: