New Worm Targets Linux Systems

[bangbuathong]

read it here

[yuyi]

read it here

<{POST_SNAPBACK}>

which affect you only, if you run a public webserver on your box.

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February.

And even then, if you install security patches as they become available (which is very easy when you run a server based on SuSE, by running YAST Online Update from time to time), you are on the safe side. The Open Source community usually produces security fixes very very quickly, and distros such as SuSE make them available right away (for free, btw)

I hope your favorite distro has a similar feature.

[francois]

hi'

so right

Suse is always ready to answer to any threat fast but the main recommendation is :

never work connected on the net as root, if you have to do so, disconnect first, one and only exception, updates, logged in as a user go through SU command and the root folder stays protected

some jerks still try to put down some Linux servers, they can try

once this alert will have passed away, we will hear about new sh1t for windoz ...

once script-kiddies will be tired to try

windoz is just easy enough for them ...

francois

[autonomous_unit]

Not really a worm, but those of you with Linux hosts running SSH on public addresses will be familiar with the annoying log messages from random "dictionary" attacks where someone tries to login under all kinds of different names. I would get tons of them on my True ADSL.

I recently learned about a new iptables module to stop these buggers... it actually works to rate-limit any kind of TCP attack on a per-host basis... instead of getting hundreds of "invalid user" and other SSH errors from one remote host in a day, I tend to see just a few logged because the rate-limiting stops them and they give up to try some other victim's address instead.

Assuming you have a firewall setup that is mostly denying traffic, and then an explicit rule to allow SSH (port 22) traffic, something like:

-A Some-Rule-Chain -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

you can replace that with this more complex rule that will implement rate-limiting of new connections while keeping track of connection statistics for each individual remote host. So, if some script kiddie is attacking you, they get blocked after a few tries while you can still get in from other remote addresses:

-A Some-Rule-Chain -m state --state NEW -m tcp -p tcp --dport 22 -m hashlimit --hashlimit 15/hour --hashlimit-burst 3 --hashlimit-mode srcip,dstport --hashlimit-name something_to_call_this -hashlimit-htable-expire 600000 -j ACCEPT

The main points are: allow 15/hour average (1 connection every 4 minutes) while allowing up to 3 connections before the rate limiting starts, while tracking on a per source IP address and per destination port basis. The name is useful if you want to be able to see who has been connecting recently.

See the iptables manpage for more information. You need kernel support in the form of the ipt_hashlimit module or built-in option. You may have to install a newer version of the iptables utility to have access to these rules, even if the hashlimit module is available in your kernel. I had to install the tool on Fedora Core 3 but the kernel module was already there...