[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] HTTP Strange LOG

To: suse-security@xxxxxxxx
Subject: Re: [suse-security] HTTP Strange LOG
From: Peter van den Heuvel <peter@xxxxxxxxxxxxxxxx>
Date: Thu, 10 Jul 2003 13:15:47 +0200
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Thu, 10 Jul 2003 13:16:39 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
Organization: Transaction Technologies B.V.
References: <3147378CA741B546B7DFFBA3070D2E2B07E8A8@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <200307101106.14294.admin@xxxxxxxxxx> <1057828812.4367.30.camel@xxxxxxxxxxx> <3F0D36C9.8020009@xxxxxxxxxxxxxxxx> <1057833775.25612.42.camel@xxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020605

with iptable you can look into the tcp-traffic using the mangle-option.
By letting through only established ipconnections, you can filter out
connections like that from scannern or connections that use a not
related protocoll that is allowed on that port.

At least read the man pages and the Linux Advanced Routing & TrafficControl HOWTO before you post on the subject. Your statement is quitewrong and confuses many concepts and facts. For one thing, "mangle" isnot an option to look into traffic. It is one of the various tables(specifically inteded for packet alteration) of rules that iptables manages.

2) Code red is a worm and it's propagation does not relate to it alsobeing a trojan.
Ok the security-risk is not so much. That is only a act of cling.

No. The question was "how do I protect my webserver from gettingaffected by this traffic". That relates to the worm capabilities and hasnothing to do with the fact that the thing also happens to be a trojan.

Code red in fact uses http over port80. In fact a mighty security suggestion: block port 80 towards yourweb-server.
Block port 80 for some known adresses and mangle the connections on port
80 toward your webserver. Blocking all toward the webserver can cause
that no webpages can be requested from outsite. I think.

Sigh... OK, I forgot the <joke> and </joke> quotes around thisstatement. Anybody else got confused there?


I'm not going to reply to this nonsense anymore.

Peter

PS. And please simply post to the list; most posters read it and do notrequire the carbon copy. Thanks.



--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

References:
- RE: [suse-security] HTTP Strange LOG
  - From: POULINGUE Cyril FTRD/SVA/LAN
- Re: [suse-security] HTTP Strange LOG
  - From: Mathias Homann
- Re: [suse-security] HTTP Strange LOG
  - From: Ruprecht Helms
- Re: [suse-security] HTTP Strange LOG
  - From: Peter van den Heuvel
- Re: [suse-security] HTTP Strange LOG
  - From: Ruprecht Helms

Prev by Date: Re: [suse-security] HTTP Strange LOG
Next by Date: AW: [suse-security] Q: vsftpd "cd ~ftp" not working
Previous by thread: Re: [suse-security] HTTP Strange LOG
Next by thread: Re[2]: [suse-security] HTTP Strange LOG
Index(es):
- Date
- Thread