Security Incidents mailing list archives

Re: "Nimda"?

From: Devdas Bhagat <devdas () worldgatein net>
Date: Wed, 27 Feb 2002 14:10:06 +0530

On 26/02/02 19:51 -0500, Bradley, Tony wrote:

However, I have noticed in my logs that I have about 1000 "Nimda"-like hits
a day. I have cut & paste a portion of my log below.

You can safely ignore these. They do no harm.

First of all, since these hits are trying to access Windows directories do
they pose any threat to my Linux machine? Second of all, is there any way
for me to block these types of hits from my server?

You can go in for a reverse proxy firewall (toss squid in front). Or you
might use the iptables string match functionality. 
This was discussed in the list when nimda first hit.

If anyone can recommend a good book or resource for hardening my Linux
server and / or any good IDS, antivirus and other such security tools that
would be appreciated as well.

Since this is a RH box, "Securing and Optimizing RedHat Linux" on
http://www.linuxdoc.org is what would be your first step. 

Simple method (from scratch):

Make a lean base install. You don't need development tools. I recommend
a debugger though (strace and ltrace are very useful).

Bring the box into single user mode, and up the network stack
(/etc/init.d/network start). No other services. Verify with netstat that
nothing is listening.

Download and apply all relevant patches (ftp://updates.redhat.com/ or a
mirror).

Get the latest stable kernel, and compile (recommended but not
absolutely necessary).

Disconnect the network cable, and bring the box into run level 3
(currently, reboot, since you also upgrade your kernel).

Ensure that only the services you want run, all others are to be turned
off. 
#chkconfig service off

Install tripwire if not installed from the installation media.
Generate the tripwire database. Move it to a RO medium like CDR.

Snort ( http://www.snort.org ) is a good NIDS.

I suggest installing logcheck as well ( http://www.psionic.com ) .

Connect the network cable.
You are running :).

Then just keep on the lookout for patches and security advisories.

HTH.
Devdas Bhagat

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

"Nimda"? Bradley, Tony (Feb 26)
- Re: "Nimda"? Eric Brandwine (Feb 27)
- Re: "Nimda"? Devdas Bhagat (Feb 27)
- Re: "Nimda"? Jay D. Dyson (Feb 27)
  - Re: "Nimda"? Greg A. Woods (Feb 27)
- <Possible follow-ups>
- RE: "Nimda"? Doug Harold (Feb 27)
- Re: "Nimda"? Joshua_Hiller (Feb 27)
- Re: "Nimda"? John . Swarbrick (Feb 27)
- RE: "Nimda"? McCammon, Keith (Feb 27)
- Re: "Nimda"? Greg Williamson (Feb 28)
  - Re: "Nimda"? Jay D. Dyson (Feb 28)
  - Question sherman.hand (Feb 28)
    - Re: Question Valdis . Kletnieks (Feb 28)

(Thread continues...)