Re: "Nimda"?

From: Devdas Bhagat (devdasat_private)
Date: Wed Feb 27 2002 - 00:40:06 PST

Next message: Chris Adams: "PHP exploit (Was Re: Wave of Nimda-like hits this morning?)"

Previous message: Joshua_Hillerat_private: "Re: "Nimda"?"
In reply to: Bradley, Tony: ""Nimda"?"
Next in thread: McCammon, Keith: "RE: "Nimda"?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 26/02/02 19:51 -0500, Bradley, Tony wrote:
> However, I have noticed in my logs that I have about 1000 "Nimda"-like hits
> a day. I have cut & paste a portion of my log below. 
You can safely ignore these. They do no harm.

> First of all, since these hits are trying to access Windows directories do
> they pose any threat to my Linux machine? Second of all, is there any way
> for me to block these types of hits from my server?
You can go in for a reverse proxy firewall (toss squid in front). Or you
might use the iptables string match functionality. 
This was discussed in the list when nimda first hit.

> If anyone can recommend a good book or resource for hardening my Linux
> server and / or any good IDS, antivirus and other such security tools that
> would be appreciated as well.
Since this is a RH box, "Securing and Optimizing RedHat Linux" on
http://www.linuxdoc.org is what would be your first step. 

Simple method (from scratch):

Make a lean base install. You don't need development tools. I recommend
a debugger though (strace and ltrace are very useful).

Bring the box into single user mode, and up the network stack
(/etc/init.d/network start). No other services. Verify with netstat that
nothing is listening.

Download and apply all relevant patches (ftp://updates.redhat.com/ or a
mirror).

Get the latest stable kernel, and compile (recommended but not
absolutely necessary).

Disconnect the network cable, and bring the box into run level 3
(currently, reboot, since you also upgrade your kernel).

Ensure that only the services you want run, all others are to be turned
off. 
#chkconfig service off

Install tripwire if not installed from the installation media.
Generate the tripwire database. Move it to a RO medium like CDR.

Snort ( http://www.snort.org ) is a good NIDS.

I suggest installing logcheck as well ( http://www.psionic.com ) .

Connect the network cable.
You are running :).

Then just keep on the lookout for patches and security advisories.

HTH.
Devdas Bhagat

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Chris Adams: "PHP exploit (Was Re: Wave of Nimda-like hits this morning?)"
Previous message: Joshua_Hillerat_private: "Re: "Nimda"?"
In reply to: Bradley, Tony: ""Nimda"?"
Next in thread: McCammon, Keith: "RE: "Nimda"?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 10:53:55 PST