Background: Nimda, Code Red, FromMail, et al.
If you use Personal Web Sharing under Mac OS X client, or Web Sharing under Mac OS X Server you open up your machine to attacks on Port 80. Fortunately most of these attacks are targeting Windows machines running Microsoft's Internet Information Server (IIS), one of the most bug ridden pieces of software out in the wild. To computers running the Apache web server these attacks are an annoyance, since they fill up the log files with unnecessary entries. The best way of preventing the problem is to shut off any and all connections from the infected remote hosts.
Solution: the wrmblk Script
In Mac OS X Hints Jeff Thompson published the wrmblk script. wrmblk adds commands to Mac OS X's ipfw firewall to block bad hosts. This script is written to be manually invoked. I have added "support" for the FormMail.pl CGI script, and commented out some messages that would trigger e-mail reports from the cron daemon, even if wrmblk found no new bad hosts.
Installation
Step 1: Download
Download the wrmblk script.
Step 2: Install the run-parts Script
If you haven't done this already, install the run-parts script.
Step 3: Move the wrmblk Script to a cron Directory
We now need to open the Terminal application (/Applications/Utilities/Terminal). We need to change directories to the location of the wrmblk script. Note: all terminal commands have manual, a.k.a. man, pages. I have put a link to the man page at the first reference to each command. You may choose /etc/cron.hourly or /etc/cron.daily, depending how paranoid you are. Running the script daily should be fine.
$cd /path/to/downloaded/wrmblk $sudo mv wrmblk /etc/cron.daily $sudo chmod a+x /etc/cron.dailywrmblk
Version 2.0.0 - 20070221
