Apache::Nimda (was Re: apache and nimbda)

[jon schatz <jo...@divisionbyzero.com>]

This conversation has reminded me of something I started writing several
times in the past 8 months or so, an apache module to handle blocking /
notifying of infected hosts. While i appreciate what EarlyBird does, I
think it's implementation could be improved (ie, grep'ing through a flat
file to see if a host has been blocked / notifyed before). So I started
on this module in perl. Initially, i had a configuration file that was
read in upon startup containing regexes matching .exe/.ida/../../../ /
etc. I went through a couple of versions using different methods to log
previous attacks so that the same admin wasn't notified multiple times
(flatfile originally, then berkeley db, then mysql), and then I stopped.
The average admin isn't going to want to run mysql (or any other db
daemon) on their box simply to not have to parse through webserver logs
anymore. So i think i'm going to go back and rewrite based on berkeley
db again. This is a request for input on what features you (admins)
would like / appreciate / wish for. Currently, this module does the
following:

1) logs the attack, and provides a event based handler for responding
(ie, firewall rules, realtime email/monitoring notification,
counterattack, etc)

2) once a night (via cron), the db is parsed, and email to admins is
prepared. No admin/abuse contact recieves more than one email per night
(all hosts from that netblock are condensed into one report), and no one
is notified about a host more than once per week. These are all
configurable (not easily yet). There's also a email template file that
you can edit. the code that looks up admins via arin/apnic/etc is
currently real dirty; this actually has been the most difficult task
involved in the project.

And that's that. suggestions? ideas? one thing i was bouncing around was
a cgi-generated page that allows you to choose who gets notified and who
doesn't (like spamcop). I'm nervous about sending email unattended, even
though i've tested it a bit. So i'll probably have this ready for public
review sometime this weekend. I doubt i can get it in the Apache::
namespace though, but i'll let you all know when it's up in my cpan
directory. It may take longer than this because 1) i'm moving this week,
2) i have no dsl at my new place, and 3) i'm in the middle of a launch
at my day job, but we'll see.

-jon

-- 
jon@divisionbyzero.com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus?: www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing." 

Re: Apache::Nimda (was Re: apache and nimbda)

[Damien Dye <da...@madwire.co.uk>]

----- Original Message ----- 
From: "jon schatz" <jo...@divisionbyzero.com>
To: <fo...@securityfocus.com>; <us...@httpd.apache.org>
Sent: Tuesday, January 29, 2002 8:48 PM
Subject: Apache::Nimda (was Re: apache and nimbda)

>This conversation has reminded me of something I started writing several
>times in the past 8 months or so, an apache module to handle blocking /
>notifying of infected hosts. While i appreciate what EarlyBird does, I
>file to see if a host has been blocked / notifyed before). So I started
>read in upon startup containing regexes matching .exe/.ida/../../../ /
>etc. I went through a couple of versions using different methods to log
>previous attacks so that the same admin wasn't notified multiple times
>(.flatfile originally, then berkeley db, then mysql), and then I stopped.
>The average admin isn't going to want to run mysql (or any other db
>daemon) on their box simply to not have to parse through webserver logs
>anymore. So i think i'm going to go back and rewrite based on berkeley
>db again. This is a request for input on what features you (admins)
>would like / appreciate / wish for. Currently, this module does the
>following:

>1) logs the attack, and provides a event based handler for responding
>(ie, firewall rules, realtime email/monitoring notification,
>counterattack, etc)

That using netfilter/iptables rule ? 
counter attack ? do you mean dump a warning on the users desktop!

>2) once a night (via cron), the db is parsed, and email to admins is
>prepared. No admin/abuse contact recieves more than one email per night
>(all hosts from that netblock are condensed into one report), and no one
>is notified about a host more than once per week. These are all
>configurable (not easily yet). There's also a email template file that
>you can edit. the code that looks up admins via arin/apnic/etc is
>currently real dirty; this actually has been the most difficult task
>involved in the project.

this will work with the default apache logs ?

>And that's that. suggestions? ideas? one thing i was bouncing around was
>a cgi-generated page that allows you to choose who gets notified and who
>doesn't (like spamcop).

Sounds good make admin easier !!

> I'm nervous about sending email unattended, even
>though i've tested it a bit. So i'll probably have this ready for public
>review sometime this weekend. I doubt i can get it in the Apache::
>namespace though, but i'll let you all know when it's up in my cpan
>directory. It may take longer than this because 1) i'm moving this week,
>2) i have no dsl at my new place, and 3) i'm in the middle of a launch
>at my day job, but we'll see.
>
>-jon

Let us know when it's done and how to integrate it

Thanks

--
Damien J Dye
Madwire Admin
damien@madwire.co.uk
LFS ID is: 2305




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org