Security Incidents mailing list archives
Re: "Nimda"?
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Tue, 26 Feb 2002 18:30:32 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 26 Feb 2002, Bradley, Tony wrote:
However, I have noticed in my logs that I have about 1000 "Nimda"-like hits a day. I have cut & paste a portion of my log below. <snip> First of all, since these hits are trying to access Windows directories do they pose any threat to my Linux machine? Second of all, is there any way for me to block these types of hits from my server?
No, they pose no threat to your system. And no, there's no way to block them short of blocking the IPs themselves. I've found that the best defense is a good offense, so I have an automated notification facility in place that acts as a decoy. When either Code Red or Nimda hit my servers, the owner of the netblock is immediately notified that their systems are being used as an attack platform against other machines. That tends to keep things like that down to a dull roar (unless you're dealing with negligent admins who just don't give a whoop).
If anyone can recommend a good book or resource for hardening my Linux server and / or any good IDS, antivirus and other such security tools that would be appreciated as well.
I recommend any book by O'Reilly (http://security.oreilly.com/). Go there and enter "linux security" and restrict your search to books. Plenty of good reading there. I also recommend http://www.linux-firewall-tools.com/ as a good starting place. - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) | = |-' `--' `--' `The armed are citizens. The unarmed are subjects.' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (SunOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iEYEARECAAYFAjx8RMwACgkQGI2IHblM+8E56gCfQyNcYO3wXXJKmJGd7gWrGi71 7KkAn3lkVRfqmv2+AjbLfb30N9PaSdoi =opOn -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- "Nimda"? Bradley, Tony (Feb 26)
- Re: "Nimda"? Eric Brandwine (Feb 27)
- Re: "Nimda"? Devdas Bhagat (Feb 27)
- Re: "Nimda"? Jay D. Dyson (Feb 27)
- Re: "Nimda"? Greg A. Woods (Feb 27)
- <Possible follow-ups>
- RE: "Nimda"? Doug Harold (Feb 27)
- Re: "Nimda"? Joshua_Hiller (Feb 27)
- Re: "Nimda"? John . Swarbrick (Feb 27)
- RE: "Nimda"? McCammon, Keith (Feb 27)
- Re: "Nimda"? Greg Williamson (Feb 28)
- Re: "Nimda"? Jay D. Dyson (Feb 28)
- Question sherman.hand (Feb 28)
- Re: Question Valdis . Kletnieks (Feb 28)
- Re: "Nimda"? Nick FitzGerald (Feb 28)
(Thread continues...)