Block DFind vulnerability scanner using IPtables

Published by Pierre-Yves Landuré on

DFind is the vulnerability scanner generating the “w00tw00t.at.ISC.SANS.DFind” HTTP requests found in Web servers logs. This guide setup some iptables rules blocking these requests. A better method is to use fail2ban to block the sources of these requests.

This howto is tested on:

  • Debian 6.0 Squeeze

Installation

Detect if sudo is available (“command” is used if not):

cmdProxy='command'
command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'

Blocking DFind requests (W00tW00t)

Install the iptables rules to be loaded with network interfaces activation:

${cmdProxy} wget 'https://raw.githubusercontent.com/biapy/howto.biapy.com/master/deprecated/00-iptables-no-woot' \
    --output-document='/etc/network/if-up.d/00-iptables-no-woot'
${cmdProxy} chmod +x '/etc/network/if-up.d/00-iptables-no-woot'

Load the iptables rules immediately:

${cmdProxy} '/etc/network/if-up.d/00-iptables-no-woot'

Ideally, reset totally the current iptables settings by rebooting the system.

Blocking HTTP requests using a IP address for hostname

Most vulnerability scanners use the server IP address as hostname (“http://xx.xx.xx.xx/”).

Settings

Provide the name of the protected network interface:

netDev="eth0"

Configuration

Detect the public IP address for the HTTP server (or set it manually, function of the watched network interface):

publicIp="$(command wget --quiet 'http://www.monip.org/' \
        --output-document=- \
    | command grep 'IP :' \
    | command cut --characters=-80 \
    | command sed -e 's/^.* \(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*$/\1/')"

Convert the public IP to hexadecimal:

hexIp="$(command echo -n "Host: ${publicIp}" \
    | command od -An -tx1 -w250)"

Detect the watched interface IP address:

netIp="$(command ip addr show "${netDev}" \
    | command grep --max-count=1 'inet ' \
    | command sed -e 's/^.*inet \([^\/]*\)\/.*$/\1/')"

Setup a iptables rule block HTTP request where the network interface IP address is used as host name:

properIp="${publicIp//./-}"
nospaceHexIp="${hexIp// /}"
${cmdProxy} tee "/etc/network/if-up.d/01-iptables-block-${properIp}" \
  <<< "#"\!"/bin/bash
if [ -z \"\$(command iptables -L INPUT | command grep '${nospaceHexIp}')\" ]; then
  command iptables -I INPUT -d ${netIp} -p tcp --dport 80 -m string --to 700 \\
    --algo bm --hex-string '|0d 0a ${hexIp} 0d 0a|' -j DROP
fi" 
${cmdProxy} chmod +x "/etc/network/if-up.d/01-iptables-block-${properIp}"

Load the rules:

${cmdProxy} "/etc/network/if-up.d/01-iptables-block-${properIp}"
Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Security

Setup a SFTP server on Debian

SFTP is a protocol allowing for secure file transfers over SSH. This guide describe how to setup SFTP only accounts on a SSH server.

Security

Install Rootkit Hunter (rkhunter) on Debian

Rootkit Hunter is, as its name describe, a rootkits detection tool. It can detect if a system has been compromised. It is a required tool for checking a system health. This guide describe how to configure rkhunter on Debian.

Security

Set access restrictions on a network port with iptables on Debian

This post describe a simple way to block all access to a network port on Debian, except for specified IP addresses.