The Little Dutch Moose - Firewall against sites that attempt to contract your server with a worm or virus-like command
Version: 10.3 v2A82Yes, you've got Mac OS X. Yes, you're protected from Code Red, from Nimda and probably a lot of other Windows NT viruses/worms out there (and yet to come), but even with Mac OS X and Apache, your system bandwidth is clogged by handling each and every one of these illegal messages. An incoming server request makes an illegal request such as: /root.exe ... and your Apache replies with: "I don't know what you're talking about", the infected host doesn't go away, but returns again and again and again. Your uninfected server is bogged down rejecting bogus messages from infected systems. Your bandwidth usage goes up, and if you're on a plan that charges more after a certain usage, your costs go up, too.
License: Free To Try $25.00
Operating System: Mac OS X
Little Dutch Moose plugs those holes. Figuring that the infected system is no friend of yours, when Little Dutch Moose finds a site that is attempting to contract your server with a worm-like or virus-like command, Little Dutch Moose immediately issues an order to your built-in firewall to automatically shut the door on that host. These sites go away for good.
With The Little Dutch Moose your web server should spin its cycles dealing with requests that it wants to deal with.
The Little Dutch Moose consists of 3 processes or modules:
An Apache module (name: mod_ldm.so)
This module sees all incoming commands to the server before they are processed by Apache. If this module sees a command that is on its "watch list" then mod_ldm.so send out a system wide notification message which is picked up by the Daemon
The Daemon (name:LittleDutchMoose)
The Daemon is continually listening out for system wide notification messages generated by the mod_ldm.so module. When it hears the signature of an incoming attack, it issues a command to add a DENY request to the firewall on the port you specify. This can be ANY port, or a particular port. This can be only TCP packets or TCP with UDP packets. A rule is added to the firewall as specified in the Control Panel. (Rules can be turned off, dynamically, too!).
If you wish, you may decide not to have the offending host blocked at the firewall, but simply watch how your bandwidth is being eaten by bogus commands against your server. Whether you want firewall protection or not, every time the Daemon finds an illegal command to your server, it sends out notification of that information.
The Control Panel (name:Little.Dutch.Moose.Prefs)
This is the user interface for configuring and monitoring the Little Dutch Moose and its actions. It is also the place for stopping and starting daemon. (The daemon is normally started automatically on system, boot.) This is the area for monitoring blocked IP addresses as well as adding to (or removing) from the list of attack signatures.
· 30 days trial.
What's New in This Release:
· Re-labeled Attack Signatures configuration panel to "Request Attack Signatures".
· Added "Request Header Signatures" panel to configuration. This panel allows you to enter tags for requests headers and data that you which to disallow. When the systems preferences pane is run the first time it will add a know set of tags.
· Added option to the signatures panel to allow rejection of all chunked requests. Check it to trap all chunked requests. Make sure you have used Apple SW Update to update your Apache server as well. This option is on the new "Request Header Signatures" panel. This option is unnecessary if the "Request Header Signatures" list contains the entry "Transfer-Encoding:chunked".
· Reset the evaluation version allowing an extension of the trial period. This is so that non-customers can utilize the Apache worm trap.
· Added special handling to help with attacks that try and maintain a connection to the server even if the attack fails. These eventually become denial, of service attacks if the session is not released.