[Courses] [Security] Iptables strings patch (was: The useful netstat)
Raven, corporate courtesan
raven at oneeyedcrow.net
Wed Mar 6 18:45:45 EST 2002
Heya --
Quoth Malcolm-Rannirl (Wed, Mar 06, 2002 at 10:36:19AM -0500):
> > outside that's not part of a session. With the strings patch to
> > iptables, you can even filter based on the contents of the packet
> > -- blocking Nimda and Code Red attempts at the firewall, for
> > example.
>
> Now that would be very useful. (Why the script kiddie scripts can't
> check what they are attacking first, I don't know. My box will very
> helpfully tell you it is running apache on linux but I still get
> numerous IIS attack attempts a day).
> url for the patch?
Sure. There's a slightly dated article about this at:
http://articles.linuxguru.net/view/125
The patch is downloadable from there, and the instructions are pretty
clear. It involves recompiling your kernel, but isn't too bad.
The script kiddie scripts don't check what they're attacking
because they don't care. Given the popularity of IIS as a web server
and how little people who write malware care about using your processor
and filling your logs, it's an obvious choice. (Malware = viruses,
trojans, worms... basically, it's software designed specifically to harm
computers.) The time it would take to check and keep track of whether a
given IP has a vulnerable web server running on it isn't worth taking to
them, and would slow the worm program down. So it's "better" to just
spam everyone with the hack attempt.
Also, script kiddies by definition don't understand what they're
doing. They just run the program and bam, hack-a-box. It's the people
who write the scripts for the script kiddies that I find harder to
understand.
Cheers,
Raven
"I am so very girly."
-- RavenBlack, on 'feminine' and 'masculine' traits
More information about the Courses
mailing list