httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Damien Dye" <dam...@madwire.co.uk>
Subject Re: Apache::Nimda (was Re: apache and nimbda)
Date Tue, 29 Jan 2002 21:04:27 GMT
----- Original Message ----- 
From: "jon schatz" <jon@divisionbyzero.com>
To: <focus-linux@securityfocus.com>; <users@httpd.apache.org>
Sent: Tuesday, January 29, 2002 8:48 PM
Subject: Apache::Nimda (was Re: apache and nimbda)

>This conversation has reminded me of something I started writing several
>times in the past 8 months or so, an apache module to handle blocking /
>notifying of infected hosts. While i appreciate what EarlyBird does, I
>file to see if a host has been blocked / notifyed before). So I started
>read in upon startup containing regexes matching .exe/.ida/../../../ /
>etc. I went through a couple of versions using different methods to log
>previous attacks so that the same admin wasn't notified multiple times
>(.flatfile originally, then berkeley db, then mysql), and then I stopped.
>The average admin isn't going to want to run mysql (or any other db
>daemon) on their box simply to not have to parse through webserver logs
>anymore. So i think i'm going to go back and rewrite based on berkeley
>db again. This is a request for input on what features you (admins)
>would like / appreciate / wish for. Currently, this module does the
>following:

>1) logs the attack, and provides a event based handler for responding
>(ie, firewall rules, realtime email/monitoring notification,
>counterattack, etc)

That using netfilter/iptables rule ? 
counter attack ? do you mean dump a warning on the users desktop!

>2) once a night (via cron), the db is parsed, and email to admins is
>prepared. No admin/abuse contact recieves more than one email per night
>(all hosts from that netblock are condensed into one report), and no one
>is notified about a host more than once per week. These are all
>configurable (not easily yet). There's also a email template file that
>you can edit. the code that looks up admins via arin/apnic/etc is
>currently real dirty; this actually has been the most difficult task
>involved in the project.

this will work with the default apache logs ?

>And that's that. suggestions? ideas? one thing i was bouncing around was
>a cgi-generated page that allows you to choose who gets notified and who
>doesn't (like spamcop).

Sounds good make admin easier !!

> I'm nervous about sending email unattended, even
>though i've tested it a bit. So i'll probably have this ready for public
>review sometime this weekend. I doubt i can get it in the Apache::
>namespace though, but i'll let you all know when it's up in my cpan
>directory. It may take longer than this because 1) i'm moving this week,
>2) i have no dsl at my new place, and 3) i'm in the middle of a launch
>at my day job, but we'll see.
>
>-jon

Let us know when it's done and how to integrate it

Thanks

--
Damien J Dye
Madwire Admin
damien@madwire.co.uk
LFS ID is: 2305




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message