I decided to write a command line script to locate any hosts that are flooding my system with Nimda and CodeRed worm requests and add them to the "deny� list using the Macintosh OS X 10.2 IPFW utility, rather than relying on third party shareware GUI wrappers which do pretty much the same thing.
Here's the code to the wrmblk script; make sure you read the notes at the end:
#!/bin/shNotes:
# ---------------------------------------------------------------------
# WRMBLK - Copyright 2002, Jeff Thompson
# ---------------------------------------------------------------------
# Block sites, which have originated Nimda and CodeRed queries, from
# Macintosh OS X 10.2 Apache web server, using the IPFW utility.
#
# Note: Apache must be configured with HostnameLookups Off
# ---------------------------------------------------------------------
echo WRMBLK - Nimda/CodeRed Worm Blocker
echo ------------------------------------------------------------------
echo Constructing list of CURRENTLY blocked host IP Addresses
ipfw list | grep 'deny ip from *.*.*.* to any' |
awk '{print $5}' | sort | uniq > /var/tmp/worms.blocked
echo Gathering new POTENTIAL worm hosts from the access log and blocking them
egrep -i "(cmd.exe|root.exe|default.ida|_vti_bin)" /var/log/httpd/access_log |
awk '{print $1}' | sort -n | uniq |
while read host
do
if (! fgrep $host /var/tmp/worms.blocked >/dev/null) then
echo Adding $host to blocked sites
echo $host>> /var/tmp/worms.blocked
ipfw add deny all from $host to any >/dev/null
fi
done
echo Done!
Mac OS X Hints
http://hints.macworld.com/article.php?story=20020919054738194