Not to start a Microsoft vs. Open Source debate regarding security, but for me personally my Microsoft systems are more secure simply because I am more familiar with the operating system(s) and the software and I have more security experience on that platform. I recently built a Redhat Linux 7.0 server to use as a web server. I am quite sure it is entirely insecure because I barely know enough to get around in Linux, much less how to configure and secure it. I installed Apache web server and after much trial and error at least got my sites to work and got the CGI scripts to work. However, I have noticed in my logs that I have about 1000 "Nimda"-like hits a day. I have cut & paste a portion of my log below. [26/Feb/2002:18:37:19 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 [26/Feb/2002:18:37:19 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 [26/Feb/2002:18:37:20 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 [26/Feb/2002:18:37:20 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 [26/Feb/2002:18:37:20 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 [26/Feb/2002:18:37:20 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 First of all, since these hits are trying to access Windows directories do they pose any threat to my Linux machine? Second of all, is there any way for me to block these types of hits from my server? If anyone can recommend a good book or resource for hardening my Linux server and / or any good IDS, antivirus and other such security tools that would be appreciated as well. Thanks- Tony Bradley, MCSE, MCSA, MCP, A+ Threat & Vulnerability Monitor EDS GM Global Information Protection Programme Electronic Data Systems "We find comfort among those who agree with us-growth among those who don't." ~ Frank A. Clark ~ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 18:19:43 PST