>>>>> "bt" == Bradley, Tony <tony.bradleyat_private> writes: bt> However, I have noticed in my logs that I have about 1000 "Nimda"-like hits bt> a day. I have cut & paste a portion of my log below. bt> [26/Feb/2002:18:37:19 -0500] "GET bt> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 bt> [26/Feb/2002:18:37:19 -0500] "GET bt> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 bt> [26/Feb/2002:18:37:20 -0500] "GET bt> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 bt> [26/Feb/2002:18:37:20 -0500] "GET bt> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 bt> [26/Feb/2002:18:37:20 -0500] "GET bt> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 bt> [26/Feb/2002:18:37:20 -0500] "GET bt> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 bt> First of all, since these hits are trying to access Windows directories do bt> they pose any threat to my Linux machine? Second of all, is there any way bt> for me to block these types of hits from my server? No threat at all. Read 'em and laugh. There's no way to stop the requests coming in, as you have no idea where to expect them from. You can blackhole or deny hosts as you find their IPs, but I get hit from all over the net, all day, every day. It's not worth keeping the list up-to-date, as it's harmless. Right now, they're going 404 Not Found, which is fine. If you want to, there are various things you can do to slow down the scanners, make them have a harder time walking past your box, but I just ignore them. If you feel really helpful, track down the owners of the offending netblocks and contact them. This gets old quickly. bt> If anyone can recommend a good book or resource for hardening my Linux bt> server and / or any good IDS, antivirus and other such security tools that bt> would be appreciated as well. IDS: Snort, hands down. http://www.snort.org Anitvirus: There's not much in the way of Linux/UNIX viruses yet. There are a couple of reference implementations, and white papers on how to infect ELF binaries, but they've not really made it into the wild yet. Host based integrity checking: http://www.tripwire.org/ As for how to learn and lock it down, a google search on 'securing linux' will get you some excellent links. ericb -- Eric Brandwine | Loyalty to the Country always; loyalty to the government UUNetwork Security | when it deserves it. ericbat_private | +1 703 886 6038 | - Mark Twain Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 08:46:08 PST