[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] get rid of codered and NIMDA in log files
- Subject: Re: [cobalt-security] get rid of codered and NIMDA in log files
- From: "Jelmer Jellema" <lists@xxxxxxxxxxxxxxx>
- Date: Thu, 5 Dec 2002 11:31:11 +0100
- Organization: Spin in het Web (www.spininhetweb.nl)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Looks good to me,
you could even let go of the attack logs if you don't want them and just
filter them out of the normal log.
Questions:
would this also work with error logs?
would this also work with a one-log-for-every-virtualhost setup? should I
put the SetEnvIf lines in a general place, or per virtual host?
The <Location /> might interfere with other security-related lines?
I'll give it a try if I have some time.
Jelmer
> #CustomLog /var/log/httpd/access_log combined #<====== line to disable
> #
> # CodeRed and Nimda in seperate logfile
> #
> SetEnvIf Request_URI "^/default.ida(.*)$" code_red_attacks attacks
> SetEnvIf Request_URI "root\.exe(.*)$" nimda_attacks attacks
> SetEnvIf Request_URI "cmd\.exe(.*)$" nimda_attacks attacks
>
> CustomLog /var/log/httpd/codered.log common env=code_red_attacks
> CustomLog /var/log/httpd/nimda.log common env=nimda_attacks
> CustomLog /var/log/httpd/access_log common env=!attacks
>
> <Location />
> Order Allow,Deny
> Allow from all
> Deny from env=ATTACK
> ErrorDocument 403 "
> </Location>