[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] get rid of codered and NIMDA in log files
- Subject: Re: [cobalt-security] get rid of codered and NIMDA in log files
- From: "njd 76" <njd76@xxxxxxxxxxx>
- Date: Wed, 04 Dec 2002 17:37:00 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I am getting sick of NIMDA and code red filling my log files. Can i pass
this idea to you guys on the list.
Do you think this will work... i will give step by step instructions for
beginers like me.
START
----------
1. cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
2. pico -w /etc/httpd/conf/httpd.conf
3. add following in the httpd.conf file
#CustomLog /var/log/httpd/access_log combined #<====== line to disable
#
# CodeRed and Nimda in seperate logfile
#
SetEnvIf Request_URI "^/default.ida(.*)$" code_red_attacks attacks
SetEnvIf Request_URI "root\.exe(.*)$" nimda_attacks attacks
SetEnvIf Request_URI "cmd\.exe(.*)$" nimda_attacks attacks
CustomLog /var/log/httpd/codered.log common env=code_red_attacks
CustomLog /var/log/httpd/nimda.log common env=nimda_attacks
CustomLog /var/log/httpd/access_log common env=!attacks
<Location />
Order Allow,Deny
Allow from all
Deny from env=ATTACK
ErrorDocument 403 "
</Location>
---
END
I also saw this but not sure if it will work
#
# Get Ride of the CodeRed Worm
# 16/08/2001
# Source http://salfter.dyndns.org/codered.shtml
#
AddType text/html .ida
AddHandler server-parsed .ida
What do you guys think.
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail