Brian's Linux Box
b_mckee at myrealbox.com
Wed Oct 30 17:17:06 EST 2002
>>> Question one - Is there anything I can or should do?
>> I have an anti-abuse script I run every 5 minutes from cron, which firewalls
>> off these hosts.
>> Here's the script. It also firewalls off IP's which hammer my site,
>> though you might want to tune that. You also want to tune the Nimda
>> detection to look for root.exe, etc.
> I just block these IPs. Attempting to execute cmd.exe is an obvious
> search for an exploit.
> I installed 'snort' and 'guardian.pl' which together automatically block
> the IP addresses of the hosts that attempt such exploits.
Thank you guys - that gives me a couple of approaches to consider.
Just ignoring the 'scratching at the lock' rubs me the wrong way.
Since iptables is on my (looooong) list of items I need to know more about -
I'll take the time now to start figuring it out.
More information about the OCLUG