On 26/02/02 19:51 -0500, Bradley, Tony wrote: > However, I have noticed in my logs that I have about 1000 "Nimda"-like hits > a day. I have cut & paste a portion of my log below. You can safely ignore these. They do no harm. > First of all, since these hits are trying to access Windows directories do > they pose any threat to my Linux machine? Second of all, is there any way > for me to block these types of hits from my server? You can go in for a reverse proxy firewall (toss squid in front). Or you might use the iptables string match functionality. This was discussed in the list when nimda first hit. > If anyone can recommend a good book or resource for hardening my Linux > server and / or any good IDS, antivirus and other such security tools that > would be appreciated as well. Since this is a RH box, "Securing and Optimizing RedHat Linux" on http://www.linuxdoc.org is what would be your first step. Simple method (from scratch): Make a lean base install. You don't need development tools. I recommend a debugger though (strace and ltrace are very useful). Bring the box into single user mode, and up the network stack (/etc/init.d/network start). No other services. Verify with netstat that nothing is listening. Download and apply all relevant patches (ftp://updates.redhat.com/ or a mirror). Get the latest stable kernel, and compile (recommended but not absolutely necessary). Disconnect the network cable, and bring the box into run level 3 (currently, reboot, since you also upgrade your kernel). Ensure that only the services you want run, all others are to be turned off. #chkconfig service off Install tripwire if not installed from the installation media. Generate the tripwire database. Move it to a RO medium like CDR. Snort ( http://www.snort.org ) is a good NIDS. I suggest installing logcheck as well ( http://www.psionic.com ) . Connect the network cable. You are running :). Then just keep on the lookout for patches and security advisories. HTH. Devdas Bhagat ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 10:53:55 PST