Skip to content
June 4, 2003 / gus3

When the Firewall Is Too Aggressive

Boy, do I feel silly. My firewall ruleset started blocking me from my own machine. I don’t know which is worse, being locked out, or taking three hours to figure it out.

Here’s what happened: I have set up my web server to detect Nimda and Code Red attacks. When an infected machine tries to break into mine,  an entry in the system log makes note of the address, and that address is blocked completely from my machine. The block serves two purposes: to keep my error log from getting flooded with failed Nimda/Code Red attempts, and to prevent other attacks from these poorly-administered machines.

So what if I run a Nessus scan on my system? One security hole it tests for is Nimda. Well, my scripts detect that I’m trying to compromise the system, and block the offending address, in this case 127.0.0.1. Woops.

This one really had me stymied. For twenty minutes, I tried to figure out why all my Internet activity was failing. I thought perhaps a bug in Nessus had messed up my system configuration (yeah, it was a bug, but not in Nessus). Even a reboot didn’t help, since my firewall rules are saved on shutdown and restored on restart. My first conclusion was that my ISP was having a hiccup in their service. It’s rare, but it does happen.

When I went to work on someone else’s computer, I found my webserver up and running, and the system generally responsive. But when I returned home, the same odd behavior: X would not start, no web browsing would work, not even DNS. Then it occurred to me to check my firewall rules. Sure enough, all connections originating from my machine were blocked. A quick flush and restore of the core ruleset brought things back to order. The anti-Nimda/Code Red scripts are now edited to prevent locking out my own machine.

For any Perl programmers interested, the critical line is this:

if ($ENV{REQUEST_URI} =~ /root\.exe|cmd\.exe|MSADC|scripts|default\.ida/)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: