[users@httpd] Foiling Code Red and Nimda (Was Re: redirect)

[Rich Bowen <rb...@rcbowen.com>]

On Tue, 24 Dec 2002, Rich Bowen wrote:

> On Tue, 24 Dec 2002, Ryan Panning wrote:
>
> > The best way of doing this is to block the IP that the requests are coming
> > from. Look at your logs and determin the IP. Then go to your router or
> > firewall configurations and add that IP to the list to block. You'll have to
> > look at your router/firewall manual on how to do that.
>
> It is not nearly that simple. The requests come from infected
> Windows/IIS machines, and there are thousands of these.
>
> There is a mod_perl handler on CPAN called Apache::CodeRed, which is a
> good start. However, due to the numerous times this question is asked,
> I'm trying to write up a doc that covers all the many solutions to this
> problem. I'll get back to the list with this information, perhaps later
> this week.

OK, looks like I'm not going to have much time to do this this week, but
here are two pointers.

One: Apache::CodeRed. Find it at
http://cpan.org/modules/by-module/Apache/  Easy to install, easy to
configure. But needs mod_perl, so if you don't have that, you're out of
luck.
Also, you might consider my hacked version of this, which adds the
address to your firewall deny list. I think I should probably leave that
as an exercise, but basically you have it call a suid script, which
takes an IP address as the argument, and adds a host to your firewall.
Presumably you could do this from a CGI program as well, and invoke that
thus:

Action codered /cgi-bin/code_red.cgi
<LocationMatch "/(default\.ida|msdac|root\.exe|MSADC|system32)/">
    SetHandler codered
</LocationMatch>

The cgi would look something like:

#!/usr/bin/perl
my $ip = $ENV{REMOTE_ADDR};
`/usr/bin/BLOCK $ip`;
print "Content-type: text/html\n\n";
print "bye, now.";

This will get rid of error log entries, as it will be a valid URL. This
is probably my most recommended approach, unless you want to use
Apache::CodeRed, which also sends email to the domain contacts and ISP
contacts, which is perhaps the best thing to do, but generates a lot of
bounce messages.

Two: Conditional logging. See tutorial at
http://httpd.apache.org/docs/logs.html#conditional  or, for the recipe
version, you need the following:

SetEnvIf REQUEST_URI "default.ida" dont-log
CustomLog logs/access_log combined env=!dont-log

As noted previously, this only covers the access log. The error log is
trickier. One way to handle this is to actually redirect these requests
to a virtual host, with a /dev/null'ed error log. That is how I handled
it before I started firewalling them.

However, this, in conjunction with the recommended CGI program will
eliminate all log entries other than the initial access to the CGI
program, which can also be eliminated if you use the conditional logging
trick.

Note two things about the firewall thing. If you have a busy site, this
is *NOT* recommended, as it will cause your firewall list to grow to an
absurd size. I'm doing this on a home dsl account. Two, if you firewall
them, you'll get one entry in the error log, perhaps, but no more. There
will be log entries in your firewall log, probably. These are far more
satisfying. Reset your firewall deny list periodically.

And have a nice Christmas.

-- 
And everyone said, "If we only live,
We too will go to sea in a Sieve -
To the hills of the Chankly Bore!"
 (The Jumblies, by Edward Lear)


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org