Huntsville Macintosh Users Group
Block Nimda, Code, Rec, etc. from Apache Block Nimda, Code, Rec, etc. from Apache
BSD | Darwin | How Tos | Linux | man Pages | UNIX/Security News | Site Index
by Marius Schamschula

Background: Nimda, Code Red, FromMail, et al.

If you use Personal Web Sharing under Mac OS X client, or Web Sharing under Mac OS X Server you open up your machine to attacks on Port 80. Fortunately most of these attacks are targeting Windows machines running Microsoft's Internet Information Server (IIS), one of the most bug ridden pieces of software out in the wild. To computers running the Apache web server these attacks are an annoyance, since they fill up the log files with unnecessary entries. The best way of preventing the problem is to shut off any and all connections from the infected remote hosts.

Solution: the wrmblk Script

In Mac OS X Hints Jeff Thompson published the wrmblk script. wrmblk adds commands to Mac OS X's ipfw firewall to block bad hosts. This script is written to be manually invoked. I have added "support" for the FormMail.pl CGI script, and commented out some messages that would trigger e-mail reports from the cron daemon, even if wrmblk found no new bad hosts.

Installation

Step 1: Download

Download the wrmblk script.

Step 2: Install the run-parts Script

If you haven't done this already, install the run-parts script.

Step 3: Move the wrmblk Script to a cron Directory

We now need to open the Terminal application (/Applications/Utilities/Terminal). We need to change directories to the location of the wrmblk script. Note: all terminal commands have manual, a.k.a. man, pages. I have put a link to the man page at the first reference to each command. You may choose /etc/cron.hourly or /etc/cron.daily, depending how paranoid you are. Running the script daily should be fine.

$cd /path/to/downloaded/wrmblk
$sudo mv wrmblk /etc/cron.daily
$sudo chmod a+x /etc/cron.dailywrmblk
Version 2.0.0 - 20070221
User Group Logo