DFind is the vulnerability scanner generating the “w00tw00t.at.ISC.SANS.DFind” HTTP requests found in Web servers logs. This guide setup some iptables rules blocking these requests. A better method is to use fail2ban to block the sources of these requests.
This howto is tested on:
- Debian 6.0 Squeeze
Installation
Detect if sudo is available (“command” is used if not):
cmdProxy='command'
command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'
Blocking DFind requests (W00tW00t)
Install the iptables rules to be loaded with network interfaces activation:
${cmdProxy} wget 'https://raw.githubusercontent.com/biapy/howto.biapy.com/master/deprecated/00-iptables-no-woot' \
--output-document='/etc/network/if-up.d/00-iptables-no-woot'
${cmdProxy} chmod +x '/etc/network/if-up.d/00-iptables-no-woot'
Load the iptables rules immediately:
${cmdProxy} '/etc/network/if-up.d/00-iptables-no-woot'
Ideally, reset totally the current iptables settings by rebooting the system.
Blocking HTTP requests using a IP address for hostname
Most vulnerability scanners use the server IP address as hostname (“http://xx.xx.xx.xx/”).
Settings
Provide the name of the protected network interface:
netDev="eth0"
Configuration
Detect the public IP address for the HTTP server (or set it manually, function of the watched network interface):
publicIp="$(command wget --quiet 'http://www.monip.org/' \
--output-document=- \
| command grep 'IP :' \
| command cut --characters=-80 \
| command sed -e 's/^.* \(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*$/\1/')"
Convert the public IP to hexadecimal:
hexIp="$(command echo -n "Host: ${publicIp}" \
| command od -An -tx1 -w250)"
Detect the watched interface IP address:
netIp="$(command ip addr show "${netDev}" \
| command grep --max-count=1 'inet ' \
| command sed -e 's/^.*inet \([^\/]*\)\/.*$/\1/')"
Setup a iptables rule block HTTP request where the network interface IP address is used as host name:
properIp="${publicIp//./-}"
nospaceHexIp="${hexIp// /}"
${cmdProxy} tee "/etc/network/if-up.d/01-iptables-block-${properIp}" \
<<< "#"\!"/bin/bash
if [ -z \"\$(command iptables -L INPUT | command grep '${nospaceHexIp}')\" ]; then
command iptables -I INPUT -d ${netIp} -p tcp --dport 80 -m string --to 700 \\
--algo bm --hex-string '|0d 0a ${hexIp} 0d 0a|' -j DROP
fi"
${cmdProxy} chmod +x "/etc/network/if-up.d/01-iptables-block-${properIp}"
Load the rules:
${cmdProxy} "/etc/network/if-up.d/01-iptables-block-${properIp}"
0 Comments