[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] get rid of codered and NIMDA in log files

At 04:31 AM 12/5/2002, you wrote:

Looks good to me,

you could even let go of the attack logs if you don't want them and just
filter them out of the normal log.

Questions:
would this also work with error logs?
would this also work with a one-log-for-every-virtualhost setup? should I
put the SetEnvIf lines in a general place, or per virtual host?
As far as Nimda goes, it only effects ip addresses and not urls. You will only have nimda stuff in the logs for sites that are the main site on an ip. If you only have one ip on a machine, then it will only effect the main site and no others. On the other hand, if you have multiple ip's, for each ip, it will effect the main site for that ip and you will have to deal with multiple sites on the machine. 


The <Location /> might interfere with other security-related lines?

I'll give it a try if I have some time.

Jelmer

> #CustomLog /var/log/httpd/access_log combined #<====== line to disable
> #
> # CodeRed and Nimda in seperate logfile
> #
> SetEnvIf Request_URI "^/default.ida(.*)$" code_red_attacks attacks
> SetEnvIf Request_URI "root\.exe(.*)$" nimda_attacks attacks
> SetEnvIf Request_URI "cmd\.exe(.*)$" nimda_attacks attacks
>
> CustomLog /var/log/httpd/codered.log common env=code_red_attacks
> CustomLog /var/log/httpd/nimda.log common env=nimda_attacks
> CustomLog /var/log/httpd/access_log common env=!attacks
>
> <Location />
> Order Allow,Deny
> Allow from all
> Deny from env=ATTACK
> ErrorDocument 403 "
> </Location>

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.