On Mon, Feb 18, 2002 at 03:02:44PM -0300, Dark0 wrote: > after adding > $IPTABLES -A INPUT -i eth0 -p tcp -d $IP --dport http -m string --string > ".exe?/c+tftp" -j DROP > $IPTABLES -A INPUT -i eth0 -p tcp -d $IP --dport http -m string --string > "/default.ida?" -j DROP > > to my rc.firewall script i get a lot of > > 24.29.116.XX - - [08/Feb/2002:15:56:19 -0300] - 408 - > > in my apache logs , how could i modify my iptables script or my > httpd.conf in order to have a clean log?
I believe its been said on this list to not employ the --string function to block Nimda/Code Red/etc attacks. I could be wrong, but I let em just go through. What harm is there? You're a clued in person that's running Apache :) Put something like this in your httpd.conf file to clean up the logs: SetEnvIf Request_URI \.exe$ ms_bs SetEnvIf Request_URI \.dll$ ms_bs SetEnvIf Request_URI \scripts\/\.\. ms_bs SetEnvIf Request_URI \default.ida ms_bs CustomLog /var/log/httpd-access.log combined env=!ms_bs CustomLog /var/log/httpd-MS-access.log combined env=ms_bs For some reason that's not catching all the default.ida's going through to my apache server. Apache's handling the request with a 404 error, maybe there is a better way to do it with a handler. Chris
