[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] HTTP Strange LOG



On Thu, 2003-07-10 at 11:50, Peter van den Heuvel wrote:
> > I think a protection can only let pass established connection through
> > your iptables firewall and drop all ports used by known trojans. The
> > best is to drop all trojanconnections (INPUT-, FORWARD- and
> > OUTPUT-CHAIN).
> 
> 1) "To only let pass an established connection"? Please explain how you 
> imagine connections getting established as at that stage they are NOT 
> yet established and no trafic will pass.

with iptable you can look into the tcp-traffic using the mangle-option.
By letting through only established ipconnections, you can filter out
connections like that from scannern or connections that use a not
related protocoll that is allowed on that port.


> 2) Code red is a worm and it's propagation does not relate to it also 
> being a trojan.

Ok the security-risk is not so much. That is only a act of cling.

> Code red in fact uses http over port 
> 80. In fact a mighty security suggestion: block port 80 towards your 
> web-server.

Block port 80 for some known adresses and mangle the connections on port
80 toward your webserver. Blocking all toward the webserver can cause
that no webpages can be requested from outsite. I think.

Regards,
Ruprecht


-----------------------------------------------
Ruprecht Helms IT-Service & Softwareentwicklung

Tel./Fax  +49[0]7621 16 99 16
Homepage: http://www.rheyn.de
email:    info@xxxxxxxx
------------------------------------------------


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here