From owner-freebsd-questions Thu Sep 27 19:11:13 2001 Delivered-To: freebsd-questions@freebsd.org Received: from dv-db.com (dv-db.com [207.159.141.95]) by hub.freebsd.org (Postfix) with ESMTP id 1D1E637B408 for ; Thu, 27 Sep 2001 19:11:10 -0700 (PDT) Received: from mark2 (host217-35-43-158.in-addr.btopenworld.com [217.35.43.158]) by dv-db.com (8.9.3/8.9.3) with SMTP id DAA02241 for ; Fri, 28 Sep 2001 03:11:02 +0100 (GMT/BST) Message-ID: <076a01c147c2$b2cc8560$0200a8c0@mark2> From: "Mark Hughes" To: Subject: Nimda....suggestions for minimising impact? Date: Fri, 28 Sep 2001 03:09:36 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Okay.....I've just checked the httpd error log on my freeBSD box which is acting as my firewall/gateway for a small home network through an ADSL connection and out into the big wide world. I'm getting over two thousand scans a day now for Nimda, which I would say is "fairly annoying", to say the least. It pales the 50 or so a day that I was getting before for code-red-a-likes into insignificance - you can see the date the virus was released due to a massive increase in the number of errors, which seems to be doubling every three or four days aswell... So, what I want to know is, what do people recommend for minimising the impact of this? Ideally I'd want to drop the packets just as soon as possible, I don't think I want to get into apache::codered and the like - I just want to minimise the impact and possibly log each IP address that causes an attack once, rather than appending miles and miles of errors to the error log. So, what do people recommend? I'm running IPFW, ppp -nat is doing my connection sharing, apache is my webserver....am I best just letting it get on with it or is there some way I can filter out this crap before it gets in, as it were? I'd rather not disable apache, but it's not vital that it remains externally accessible - would disabling it help at all? Is there anything I can make apache say back to the infected computer that would say "no, get lost" as it were, and make it give up? Obviously, these will be things that will be useful for anyone with an internet connected freebsd box I'd guess, due to the nature of the beast. Thanks in advance, Mark -- Mark Hughes - DVD & Film Content Manager, Technical Officer Digital Spy Ltd http://www.digitalspy.co.uk/ Your number one source for digital media and entertainment news! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message