I noticed a few w00tw00ts in our Apache2 logfile the other day, so I thought I would write a quick post on blocking them with iptables. Feel free to improve upon any of my scripts or ideas in this thread.
First of all, what is a w00tw00t and where might we find one?
Well, a w00tw00t is an signature left by a web vulnerability scanner called DFind that has the signature below and you can find them in your Apache logfiles, for example:
If you are like me, you would simply like to block IP addresses of people with nothing better to do than probe your web server (commonly called "losers"), so here goes:
First, you can download a list of know w00tw00t'ers using wget here, like so:
Then, it might be a good idea to scan your logs like I did above and append any w00tw00ts you see to that list:
You might have more than one w00tw00t IP address in your list now, so you might want to use awk to dedupe your w00tw00t_list:
Then move it back of course:
Now, with a nice w00tw00t_list in your directory, you can do something like:
I am pretty strict, and tend to block entire networks when we are probed, hence the /24 at the end of the IP address. You might want to be nicer than me and just block the IP ....
And you can check your iptables blocklist with:
However, before running your iptables script, make sure your IP address is not accidentally in the w00tw00t list :-)
Anyone care to combine all this into one great script? If so, please post back!
Happy w00tw00t blocking!
Last edited by Neo; 12-02-2009 at 08:48 AM..
Reason: updated grep
I have installed a linux 9 router/firewall and have issues with outside DNS queries making it in. here are my IPTABLE rules, can anyone make some suggestions?
ETH1 is my outside facing Interface, ETH0 is my inside facing interface.
Accept If input interface is not eth1
Accept If protocol is... (1 Reply)
I have installed a linux 9 router/firewall and have issues with outside DNS queries making it in. here are my IPTABLE rules, can anyone make some suggestions?
ETH1 is my outside facing Interface, ETH0 is my inside facing interface.
Accept If input interface is not eth1
Accept If protocol... (6 Replies)
I'm new to Linux and I made a big mistake at work recently locking myself out of our own server :(.
I did iptables -F first as the tutorial said and then entered the rules. I wanted to start over again so I did iptables -F and it locked us out. We had to get someone to physically restart... (0 Replies)
I am using BSD TCP sockets under Debian Linux 2.6 and no matter what I do, the socket blocks on recv.
I have set O_NONBLOCK and O_NDELAY using fcntl to no effect.
Any ideas ? (3 Replies)
Hello,
Would this be an acceptable way of creating a non-blocking pipe.
Basically I want to create kind of a server client arch.
This code would be in the server, and I don't want to have to wait for
clients to read before moving on to the next client. One problem I
can see is if... (4 Replies)
we have internal network 192.168.129.x for a system hosted with
pdf.xxx.xyz URL is already public accessible
but when try to connect as site (/ap/p.nt) of the URL pdf.xxx.xyz/ap/p.nt
restriction to be applied publicly except accessing internally
can anyone guide me on this?? (1 Reply)
Hi Folks
I have been debugging a script that is called every thirty seconds. Basically it is doing a ps, well two actually, one to file (read by the getline below) and the other into a pipe. The one into the pipe is: -
V_SYSVPS=/usr/sysv/bin/ps
$V_SYSVPS -p$PIDLIST -o$PSARGS... (0 Replies)
Hi!
I have a dedicated hosting working with 2 ips.
Is it possible to block all connections but 1 in all existing ports for only 1 of my ips?
I mean like, I have 2 ips for example: 190.x.x.5 and 190.x.x.6
I want that all the connections going to 190.x.x.6 in all ports get rejected but only 1... (7 Replies)
among the below socket programming api's, please let me know which are blocking and non-blocking.
socket
accept
bind
listen
write
read
close (2 Replies)
Just added these lines to our server firewall:
iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
Even though mysql is configured to correctly only listen on port 127.0.0.1 we still see these mysql log file notes on a daily... (0 Replies)