Nimda and Code Red are IIS worms. As an Apache server administrator, you are not vulnerable, but they do fill up your log files. Here are a few techniquest to prevent that.
One: Apache::CodeRed. Find it at http://cpan.org/modules/by-module/Apache/ Easy to install, easy to configure. But needs mod_perl, so if you don't have that, you're out of luck.
Also, I have a hacked version of this, which adds the address to my firewall deny list. I think I should probably leave that as an exercise, but basically you have it call a suid script, which takes an IP address as the argument, and adds a host to your firewall. Presumably you could do this from a CGI program as well, and invoke that thus:
Action codered /cgi-bin/code_red.cgi
<LocationMatch "/(default\.ida|msdac|root\.exe|MSADC|system32)/">
SetHandler codered
</LocationMatch>
The cgi would look something like:
#!/usr/bin/perl
my $ip = $ENV{REMOTE_ADDR};
`/usr/bin/BLOCK $ip`;
print "Content-type: text/html\n\n";
print "bye, now.";
This will get rid of error log entries, as it will be a valid URL. This is probably my most recommended approach, unless you want to use Apache::CodeRed, which also sends email to the domain contacts and ISP contacts, which is perhaps the best thing to do, but generates a lot of bounce messages.
Note that even if you don't add them to your firewall, the above script can be used, minus lines 2 and 3, to eliminate the error messages. And, in conjunction with the "don't log" recipe below, can remove the problem.
Two: Conditional logging. See tutorial at http://httpd.apache.org/docs/logs.html#conditional or, for the recipe version, you need the following:
SetEnvIf REQUEST_URI "default.ida" dont-log CustomLog logs/access_log combined env=!dont-log
As noted previously, this only covers the access log. The error log is trickier. One way to handle this is to actually redirect these requests to a virtual host, with a /dev/null'ed error log. That is how I handled it before I started firewalling them.
However, this, in conjunction with the recommended CGI program will eliminate all log entries other than the initial access to the CGI program, which can also be eliminated if you use the conditional logging trick.
Note two things about the firewall thing. If you have a busy site, this is *NOT* recommended, as it will cause your firewall list to grow to an absurd size. I'm doing this on a home dsl account. Two, if you firewall them, you'll get one entry in the error log, perhaps, but no more. There will be log entries in your firewall log, probably. These are far more satisfying. Reset your firewall deny list periodically.
Follow-up: Ken Coar notes that you should also check out EarlyBird.
Posted by rbowen at January 8, 2003 10:16 PM | TrackBack