Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: [Linux] Blocking Your w00tw00ts with iptables
Special Forums Cybersecurity [Linux] Blocking Your w00tw00ts with iptables Post 302374839 by Neo on Wednesday 25th of November 2009 02:47:33 PM
Old 11-25-2009
[Linux] Blocking Your w00tw00ts with iptables
I noticed a few w00tw00ts in our Apache2 logfile the other day, so I thought I would write a quick post on blocking them with iptables. Feel free to improve upon any of my scripts or ideas in this thread.

First of all, what is a w00tw00t and where might we find one?

Well, a w00tw00t is an signature left by a web vulnerability scanner called DFind that has the signature below and you can find them in your Apache logfiles, for example:

Code:
neo@forum:# grep "GET /w00tw00t.at.ISC.SANS.DFind:)" /website/logs/apache2/access.log
88.80.222.117 - - [25/Nov/2009:08:38:36 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"

If you are like me, you would simply like to block IP addresses of people with nothing better to do than probe your web server (commonly called "losers"), so here goes:

First, you can download a list of know w00tw00t'ers using wget here, like so:

Code:
wget http://www.novirusthanks.org/dfind-logs/ip-list;mv ip-list w00tw00t_list

Then, it might be a good idea to scan your logs like I did above and append any w00tw00ts you see to that list:

Code:
grep w00tw00t /website/logs/apache2/access.log | awk 'BEGIN { FS = " " } ; { print $1 }' >> w00tw00t_list

You might have more than one w00tw00t IP address in your list now, so you might want to use awk to dedupe your w00tw00t_list:

Code:
awk '{
if ($0 in stored_lines)
   x=1
else
   print
   stored_lines[$0]=1
}' w00tw00t_list > w00t_new

Then move it back of course:

Code:
mv w00t_new w00tw00t_list

Now, with a nice w00tw00t_list in your directory, you can do something like:

Code:
while read ip
do
iptables -A INPUT -s "$ip"/24 -j DROP
done < w00tw00t_list

I am pretty strict, and tend to block entire networks when we are probed, hence the /24 at the end of the IP address. You might want to be nicer than me and just block the IP ....

Code:
while read ip
do
iptables -A INPUT -s "$ip" -j DROP
done < w00tw00t_list

And you can check your iptables blocklist with:

Code:
iptables -L -n

However, before running your iptables script, make sure your IP address is not accidentally in the w00tw00t list :-)

Anyone care to combine all this into one great script? If so, please post back!

Happy w00tw00t blocking!
Last edited by Neo; 12-02-2009 at 08:48 AM.. Reason: updated grep
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

LINUX 9 IPTABLES and DNS

I have installed a linux 9 router/firewall and have issues with outside DNS queries making it in. here are my IPTABLE rules, can anyone make some suggestions? ETH1 is my outside facing Interface, ETH0 is my inside facing interface. Accept If input interface is not eth1 Accept If protocol is... (1 Reply)
Discussion started by: frankkahle
1 Replies

2. Linux

LINUX 9 IPTABLES and DNS

I have installed a linux 9 router/firewall and have issues with outside DNS queries making it in. here are my IPTABLE rules, can anyone make some suggestions? ETH1 is my outside facing Interface, ETH0 is my inside facing interface. Accept If input interface is not eth1 Accept If protocol... (6 Replies)
Discussion started by: frankkahle
6 Replies

3. UNIX for Dummies Questions & Answers

Linux IPTABLES help

I'm new to Linux and I made a big mistake at work recently locking myself out of our own server :(. I did iptables -F first as the tutorial said and then entered the rules. I wanted to start over again so I did iptables -F and it locked us out. We had to get someone to physically restart... (0 Replies)
Discussion started by: nogumo
0 Replies

4. Programming

Linux BSD sockets blocking issue

I am using BSD TCP sockets under Debian Linux 2.6 and no matter what I do, the socket blocks on recv. I have set O_NONBLOCK and O_NDELAY using fcntl to no effect. Any ideas ? (3 Replies)
Discussion started by: johnmb
3 Replies

5. Shell Programming and Scripting

Non-blocking pipe

Hello, Would this be an acceptable way of creating a non-blocking pipe. Basically I want to create kind of a server client arch. This code would be in the server, and I don't want to have to wait for clients to read before moving on to the next client. One problem I can see is if... (4 Replies)
Discussion started by: cdlaforc
4 Replies

6. Debian

URL blocking with iptables

we have internal network 192.168.129.x for a system hosted with pdf.xxx.xyz URL is already public accessible but when try to connect as site (/ap/p.nt) of the URL pdf.xxx.xyz/ap/p.nt restriction to be applied publicly except accessing internally can anyone guide me on this?? (1 Reply)
Discussion started by: shrinuvas
1 Replies

7. UNIX for Advanced & Expert Users

ps blocking

Hi Folks I have been debugging a script that is called every thirty seconds. Basically it is doing a ps, well two actually, one to file (read by the getline below) and the other into a pipe. The one into the pipe is: - V_SYSVPS=/usr/sysv/bin/ps $V_SYSVPS -p$PIDLIST -o$PSARGS... (0 Replies)
Discussion started by: steadyonabix
0 Replies

8. UNIX for Dummies Questions & Answers

Linux iptables -> is it possible?

Hi! I have a dedicated hosting working with 2 ips. Is it possible to block all connections but 1 in all existing ports for only 1 of my ips? I mean like, I have 2 ips for example: 190.x.x.5 and 190.x.x.6 I want that all the connections going to 190.x.x.6 in all ports get rejected but only 1... (7 Replies)
Discussion started by: Kekox
7 Replies

9. Programming

Which are blocking and non-blocking api's in sockets in C ?

among the below socket programming api's, please let me know which are blocking and non-blocking. socket accept bind listen write read close (2 Replies)
Discussion started by: VSSajjan
2 Replies

10. Cybersecurity

Blocking 3306 with iptables -A INPUT -p tcp --dport 3306

Just added these lines to our server firewall: iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A INPUT -p tcp --dport 3306 -j DROP Even though mysql is configured to correctly only listen on port 127.0.0.1 we still see these mysql log file notes on a daily... (0 Replies)
Discussion started by: Neo
0 Replies
All times are GMT -4. The time now is 12:11 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy