Home page logo

nanog logo nanog mailing list archives

worm blocker
From: Joseph McDonald <joe () vpop net>
Date: Tue, 18 Sep 2001 16:53:16 -0700

Here is a little worm blocker I came up with.  It runs like:
tail -f $server_root/logs/error_log | blockworm.rb


x = 0
badips = Hash.new(0)
while line = gets
  if line =~ /root.ext|winnt|msadc|unrecognized FrontPage/i
    line =~ /client ([^\]].*)]/
    bad = $1
    bad.gsub!(/[^0-9\.]/, "")
    if not badips.has_key?(bad)
      system("/sbin/ipfw add 3000 unreach host tcp from #{bad} to any 80")
      $stderr.puts "killed #{bad}"
    badips[$1] += 1
    x += 1

I'm not positive that it's the best ipfw rule... I didn't know if
"unreach" or "deny" was better.  My ipfw guru is gone for the day.  If
anyone has any thoughts on that, please let me know.  Also, the above
assumes that IP "spoofing" isn't going on...

BTW, if you want to run the above and don't have ruby, you can get it
at: http://www.ruby-lang.org/en/index.html  It is a way cool language,
the snippet above does not show off any of its unique features, a
summary of which you can find here:


  By Date           By Thread  

Current thread:
  • worm blocker Joseph McDonald (Sep 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]