[Linux] Blocking Your w00tw00ts with iptables


 
Thread Tools Search this Thread
Special Forums Cybersecurity [Linux] Blocking Your w00tw00ts with iptables
# 1  
Old 11-25-2009
[Linux] Blocking Your w00tw00ts with iptables

I noticed a few w00tw00ts in our Apache2 logfile the other day, so I thought I would write a quick post on blocking them with iptables. Feel free to improve upon any of my scripts or ideas in this thread.

First of all, what is a w00tw00t and where might we find one?

Well, a w00tw00t is an signature left by a web vulnerability scanner called DFind that has the signature below and you can find them in your Apache logfiles, for example:

Code:
neo@forum:# grep "GET /w00tw00t.at.ISC.SANS.DFind:)" /website/logs/apache2/access.log
88.80.222.117 - - [25/Nov/2009:08:38:36 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"

If you are like me, you would simply like to block IP addresses of people with nothing better to do than probe your web server (commonly called "losers"), so here goes:

First, you can download a list of know w00tw00t'ers using wget here, like so:

Code:
wget http://www.novirusthanks.org/dfind-logs/ip-list;mv ip-list w00tw00t_list

Then, it might be a good idea to scan your logs like I did above and append any w00tw00ts you see to that list:

Code:
grep w00tw00t /website/logs/apache2/access.log | awk 'BEGIN { FS = " " } ; { print $1 }' >> w00tw00t_list

You might have more than one w00tw00t IP address in your list now, so you might want to use awk to dedupe your w00tw00t_list:

Code:
awk '{
if ($0 in stored_lines)
   x=1
else
   print
   stored_lines[$0]=1
}' w00tw00t_list > w00t_new

Then move it back of course:

Code:
mv w00t_new w00tw00t_list

Now, with a nice w00tw00t_list in your directory, you can do something like:

Code:
while read ip
do
iptables -A INPUT -s "$ip"/24 -j DROP
done < w00tw00t_list

I am pretty strict, and tend to block entire networks when we are probed, hence the /24 at the end of the IP address. You might want to be nicer than me and just block the IP ....

Code:
while read ip
do
iptables -A INPUT -s "$ip" -j DROP
done < w00tw00t_list

And you can check your iptables blocklist with:

Code:
iptables -L -n

However, before running your iptables script, make sure your IP address is not accidentally in the w00tw00t list :-)

Anyone care to combine all this into one great script? If so, please post back!

Happy w00tw00t blocking!

Last edited by Neo; 12-02-2009 at 08:48 AM.. Reason: updated grep
# 2  
Old 11-25-2009
It was such an inviting possibility for some evening fun so let's have a crack at it!

(NOT tested)
Code:
#/bin/sh
#good (?) working dir
cd /tmp
#Get a fresh list? do rm w00tw00t_list first
#I lynx...
[ -r w00tw00t_list ] || lynx -dump http://www.novirusthanks.org/dfind-logs/ip-list > w00tw00t_list
#append unique entries from weblog
grep w00tw00t /website/logs/apache2/access.log | cut -d" " -f1 |sort -u >> w00tw00t_list
#apply ip rules
while read ip; do iptables -A INPUT -s "$ip"/24 -j DROP; done < w00tw00t_list
#List resulting block list
iptables -L -n

Best regards,
Lakris
# 3  
Old 11-25-2009
Quote:
Originally Posted by Neo
If you are like me, you would simply like to block IP addresses of people with nothing better to do than probe your web server
Nice write-up but it's a non-standard and maintenance-prone "solution". Maybe people not like you (;-p) should choose a combination of iptables rate limiting, webserver "BrowserMatch" and mod_security filtering instead?..
# 4  
Old 11-25-2009
Quote:
Originally Posted by unSpawn
Nice write-up but it's a non-standard and maintenance-prone "solution". Maybe people not like you (;-p) should choose a combination of iptables rate limiting, webserver "BrowserMatch" and mod_security filtering instead?..
Great! Describe your implementation "step-by-step" in a detailed write-up and avoid hand-waving and we'll have a look Smilie

PS (Edit): mod_security can be a very big performance killer on a very busy web server.... intercepting every URL and trying to match each one against a long list of rules can kill performance.




---------- Post updated at 23:23 ---------- Previous update was at 23:00 ----------

Quote:
Originally Posted by Lakris
It was such an inviting possibility for some evening fun so let's have a crack at it!

(NOT tested)
Code:
#/bin/sh
#good (?) working dir
cd /tmp
#Get a fresh list? do rm w00tw00t_list first
#I lynx...
[ -r w00tw00t_list ] || lynx -dump http://www.novirusthanks.org/dfind-logs/ip-list > w00tw00t_list
#append unique entries from weblog
grep w00tw00t /website/logs/apache2/access.log | cut -d" " -f1 |sort -u >> w00tw00t_list
#apply ip rules
while read ip; do iptables -A INPUT -s "$ip"/24 -j DROP; done < w00tw00t_list
#List resulting block list
iptables -L -n

Best regards,
Lakris
I like it, especially using cut and sort versus awk. I always use wget, so I should look into using lynx from time-to-time!
# 5  
Old 11-26-2009
Quote:
Originally Posted by Neo
Describe your implementation "step-by-step" in a detailed write-up
Those disappointed by the lack of details handouts sure could call it RTF(ine)M or accuse me of handwaving, NP, but anyone with basic GNU/Linux admin skills (as in knowing how to read the documentation) should be able to cobble up the parts themselves.


Quote:
Originally Posted by Neo
PS (Edit): mod_security can be a very big performance killer on a very busy web server.... intercepting every URL and trying to match each one against a long list of rules can kill performance.
Sure performance-wise you'll want to filter like "DynamicOnly", not log what you don't need and group regular expressions, but "very big performance killer"? Naw, I'd call that unsubstantiated if presented without cold hard numbers...


BTW, about the script, having a separate chain instead of putting everything in INPUT allows you to route traffic in a more fine-grained way. The script then essentially could be compressed to a oneliner something like:
Code:
iptables -F BLOCKCHAIN || iptables -N BLOCKCHAIN; ( curl -s http://www.novirusthanks.org/dfind-logs/ip-list | grep -v '#"; awk '/w00tw00t/ {print $2}' /var/log/httpd/*access* ) | sort -u | xargs -iX iptables -A BLOCKCHAIN -s 'X' -j DROP

Top of my head though, untested, so YMMV(VM).
# 6  
Old 11-29-2009
Our experience is everything contributes to performance and applying something to the front end of the web server will definitely effect performance.

When you discount performance off-hand, I can only assume you do not operate a web server with thousands of concurrent users and millions of PVs a month.

Everything effects performance. Everything. Web operators talk performance. It is one of our favorite topics!

I think you may be arguing for the sake of argument. Just a simple Google search yields the article, 4 reasons not to use mod_security, concluding,
Quote:
And they're built to scale, which means the scenario in which mod_security is used as a reverse proxy to protect all web servers from harm but quickly becomes a bottleneck and impediment to performance doesn't happen with purpose-built web application firewalls.
So, my impression is that you don't operate a web server with millions of PVs a month and thousands of concurrent users at peak, because even off loading tiny gif and jpg icons, which seems trival and small, can significantly reduce Apache2 workers and CPU load, etc.

Computing is all about performance optimization.

Having said that, we are considering mod_security for emergencies and temporary stop gaps until we can put a better performing solution in place in certain scenarios. It is certainly possible the performance hit will be small; but from what I have read about mod_security, and experiences here, it will certainly have
an impact on performance.

---------- Post updated at 21:04 ---------- Previous update was at 20:56 ----------

Speaking of mod_security performance quotes, I think this quote from Securing Apache Web Server with mod_security in the Linux Gazette sums it up nicely:

Quote:
Performance and Deployment

Everything has a price and so does filtering HTTP requests. mod_security needs to holds the request in a buffer or has to store it to a temporary file. You have to take this into account. The parsing add a little overhead in terms of CPU cycles to the web server as well. If you install the module on a server that already has performance issues things won't get better. That's what the reverse proxy method is for. Hard hit sites probably won't go anywhere without additional proxies.


---------- Post updated at 21:16 ---------- Previous update was at 21:04 ----------

I like parts of this quote from Basics of mod_security:

Quote:
Mod_Security does come with a performance cost, however, the security benefits far outweight the performance cost
.

Regarding the second statement, that is really relative to overall performance of the server. It is very easy for big servers will smallish loads to say "security over performance".

Editorial Comments:

If security was always preferable to performance, then F1 race cars would be built with heavier material Smilie

There is no shortage of self-proclaimed security experts in the world who ignore performance, in my experience in IT security most of my career.
# 7  
Old 12-02-2009
To Followup.......

When you are searching your logfiles for w00tw00ts, be careful not to mistakenly identify legitimate requests from friendly hosts, for example, requests for posts with w00tw00t in the URL who might be reading a post you have on the topic Smilie

I updated my example to reflect this:

Code:
grep "GET /w00tw00t.at.ISC.SANS.DFind:)" /website/logs/apache2/access.log

Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Cybersecurity

Blocking 3306 with iptables -A INPUT -p tcp --dport 3306

Just added these lines to our server firewall: iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A INPUT -p tcp --dport 3306 -j DROP Even though mysql is configured to correctly only listen on port 127.0.0.1 we still see these mysql log file notes on a daily... (0 Replies)
Discussion started by: Neo
0 Replies

2. Programming

Which are blocking and non-blocking api's in sockets in C ?

among the below socket programming api's, please let me know which are blocking and non-blocking. socket accept bind listen write read close (2 Replies)
Discussion started by: VSSajjan
2 Replies

3. UNIX for Dummies Questions & Answers

Linux iptables -> is it possible?

Hi! I have a dedicated hosting working with 2 ips. Is it possible to block all connections but 1 in all existing ports for only 1 of my ips? I mean like, I have 2 ips for example: 190.x.x.5 and 190.x.x.6 I want that all the connections going to 190.x.x.6 in all ports get rejected but only 1... (7 Replies)
Discussion started by: Kekox
7 Replies

4. UNIX for Advanced & Expert Users

ps blocking

Hi Folks I have been debugging a script that is called every thirty seconds. Basically it is doing a ps, well two actually, one to file (read by the getline below) and the other into a pipe. The one into the pipe is: - V_SYSVPS=/usr/sysv/bin/ps $V_SYSVPS -p$PIDLIST -o$PSARGS... (0 Replies)
Discussion started by: steadyonabix
0 Replies

5. Debian

URL blocking with iptables

we have internal network 192.168.129.x for a system hosted with pdf.xxx.xyz URL is already public accessible but when try to connect as site (/ap/p.nt) of the URL pdf.xxx.xyz/ap/p.nt restriction to be applied publicly except accessing internally can anyone guide me on this?? (1 Reply)
Discussion started by: shrinuvas
1 Replies

6. Shell Programming and Scripting

Non-blocking pipe

Hello, Would this be an acceptable way of creating a non-blocking pipe. Basically I want to create kind of a server client arch. This code would be in the server, and I don't want to have to wait for clients to read before moving on to the next client. One problem I can see is if... (4 Replies)
Discussion started by: cdlaforc
4 Replies

7. Programming

Linux BSD sockets blocking issue

I am using BSD TCP sockets under Debian Linux 2.6 and no matter what I do, the socket blocks on recv. I have set O_NONBLOCK and O_NDELAY using fcntl to no effect. Any ideas ? (3 Replies)
Discussion started by: johnmb
3 Replies

8. UNIX for Dummies Questions & Answers

Linux IPTABLES help

I'm new to Linux and I made a big mistake at work recently locking myself out of our own server :(. I did iptables -F first as the tutorial said and then entered the rules. I wanted to start over again so I did iptables -F and it locked us out. We had to get someone to physically restart... (0 Replies)
Discussion started by: nogumo
0 Replies

9. Linux

LINUX 9 IPTABLES and DNS

I have installed a linux 9 router/firewall and have issues with outside DNS queries making it in. here are my IPTABLE rules, can anyone make some suggestions? ETH1 is my outside facing Interface, ETH0 is my inside facing interface. Accept If input interface is not eth1 Accept If protocol... (6 Replies)
Discussion started by: frankkahle
6 Replies

10. UNIX for Advanced & Expert Users

LINUX 9 IPTABLES and DNS

I have installed a linux 9 router/firewall and have issues with outside DNS queries making it in. here are my IPTABLE rules, can anyone make some suggestions? ETH1 is my outside facing Interface, ETH0 is my inside facing interface. Accept If input interface is not eth1 Accept If protocol is... (1 Reply)
Discussion started by: frankkahle
1 Replies
Login or Register to Ask a Question