[Linux] Blocking Your w00tw00ts with iptables

I noticed a few w00tw00ts in our Apache2 logfile the other day, so I thought I would write a quick post on blocking them with iptables. Feel free to improve upon any of my scripts or ideas in this thread.

First of all, what is a w00tw00t and where might we find one?

Well, a w00tw00t is an signature left by a web vulnerability scanner called DFind that has the signature below and you can find them in your Apache logfiles, for example:

neo@forum:# grep "GET /w00tw00t.at.ISC.SANS.DFind:)" /website/logs/apache2/access.log
88.80.222.117 - - [25/Nov/2009:08:38:36 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"

If you are like me, you would simply like to block IP addresses of people with nothing better to do than probe your web server (commonly called "losers"), so here goes:

First, you can download a list of know w00tw00t'ers using wget here, like so:

wget http://www.novirusthanks.org/dfind-logs/ip-list;mv ip-list w00tw00t_list

Then, it might be a good idea to scan your logs like I did above and append any w00tw00ts you see to that list:

grep w00tw00t /website/logs/apache2/access.log | awk 'BEGIN { FS = " " } ; { print $1 }' >> w00tw00t_list

You might have more than one w00tw00t IP address in your list now, so you might want to use awk to dedupe your w00tw00t_list:

awk '{
if ($0 in stored_lines)
   x=1
else
   print
   stored_lines[$0]=1
}' w00tw00t_list > w00t_new

Then move it back of course:

mv w00t_new w00tw00t_list

Now, with a nice w00tw00t_list in your directory, you can do something like:

while read ip
do
iptables -A INPUT -s "$ip"/24 -j DROP
done < w00tw00t_list

I am pretty strict, and tend to block entire networks when we are probed, hence the /24 at the end of the IP address. You might want to be nicer than me and just block the IP ....

while read ip
do
iptables -A INPUT -s "$ip" -j DROP
done < w00tw00t_list

And you can check your iptables blocklist with:

iptables -L -n

However, before running your iptables script, make sure your IP address is not accidentally in the w00tw00t list

Anyone care to combine all this into one great script? If so, please post back!

Happy w00tw00t blocking!

It was such an inviting possibility for some evening fun so let's have a crack at it!

(NOT tested)

#/bin/sh
#good (?) working dir
cd /tmp
#Get a fresh list? do rm w00tw00t_list first
#I lynx...
[ -r w00tw00t_list ] || lynx -dump http://www.novirusthanks.org/dfind-logs/ip-list > w00tw00t_list
#append unique entries from weblog
grep w00tw00t /website/logs/apache2/access.log | cut -d" " -f1 |sort -u >> w00tw00t_list
#apply ip rules
while read ip; do iptables -A INPUT -s "$ip"/24 -j DROP; done < w00tw00t_list
#List resulting block list
iptables -L -n

Best regards,
Lakris

Nice write-up but it's a non-standard and maintenance-prone "solution". Maybe people not like you (;-p) should choose a combination of iptables rate limiting, webserver "BrowserMatch" and mod_security filtering instead?..

Great! Describe your implementation "step-by-step" in a detailed write-up and avoid hand-waving and we'll have a look

PS (Edit): mod_security can be a very big performance killer on a very busy web server.... intercepting every URL and trying to match each one against a long list of rules can kill performance.

---------- Post updated at 23:23 ---------- Previous update was at 23:00 ----------

I like it, especially using cut and sort versus awk. I always use wget, so I should look into using lynx from time-to-time!

Those disappointed by the lack of details handouts sure could call it RTF(ine)M or accuse me of handwaving, NP, but anyone with basic GNU/Linux admin skills (as in knowing how to read the documentation) should be able to cobble up the parts themselves.

Sure performance-wise you'll want to filter like "DynamicOnly", not log what you don't need and group regular expressions, but "very big performance killer"? Naw, I'd call that unsubstantiated if presented without cold hard numbers...

BTW, about the script, having a separate chain instead of putting everything in INPUT allows you to route traffic in a more fine-grained way. The script then essentially could be compressed to a oneliner something like:

iptables -F BLOCKCHAIN || iptables -N BLOCKCHAIN; ( curl -s http://www.novirusthanks.org/dfind-logs/ip-list | grep -v '#"; awk '/w00tw00t/ {print $2}' /var/log/httpd/*access* ) | sort -u | xargs -iX iptables -A BLOCKCHAIN -s 'X' -j DROP

Top of my head though, untested, so YMMV(VM).

Our experience is everything contributes to performance and applying something to the front end of the web server will definitely effect performance.

When you discount performance off-hand, I can only assume you do not operate a web server with thousands of concurrent users and millions of PVs a month.

Everything effects performance. Everything. Web operators talk performance. It is one of our favorite topics!

I think you may be arguing for the sake of argument. Just a simple Google search yields the article, 4 reasons not to use mod_security, concluding,

So, my impression is that you don't operate a web server with millions of PVs a month and thousands of concurrent users at peak, because even off loading tiny gif and jpg icons, which seems trival and small, can significantly reduce Apache2 workers and CPU load, etc.

Computing is all about performance optimization.

Having said that, we are considering mod_security for emergencies and temporary stop gaps until we can put a better performing solution in place in certain scenarios. It is certainly possible the performance hit will be small; but from what I have read about mod_security, and experiences here, it will certainly have
an impact on performance.

---------- Post updated at 21:04 ---------- Previous update was at 20:56 ----------

Speaking of mod_security performance quotes, I think this quote from Securing Apache Web Server with mod_security in the Linux Gazette sums it up nicely:

---------- Post updated at 21:16 ---------- Previous update was at 21:04 ----------

I like parts of this quote from Basics of mod_security:

.

Regarding the second statement, that is really relative to overall performance of the server. It is very easy for big servers will smallish loads to say "security over performance".

Editorial Comments:

If security was always preferable to performance, then F1 race cars would be built with heavier material

There is no shortage of self-proclaimed security experts in the world who ignore performance, in my experience in IT security most of my career.

To Followup.......

When you are searching your logfiles for w00tw00ts, be careful not to mistakenly identify legitimate requests from friendly hosts, for example, requests for posts with w00tw00t in the URL who might be reading a post you have on the topic

I updated my example to reflect this:

grep "GET /w00tw00t.at.ISC.SANS.DFind:)" /website/logs/apache2/access.log

I think it is great you emphasize the importance of performance but continuing to put emphasis on it begs the question why you did not see fit to address it in your OP (original post)?

By introducing this argument you imply that you do. Besides, you know what assumptions make.

Mod_security can have an impact performance-wise. I don't disagree with that (as I've stated already). But the fact that you counter by just quoting two or more year old articles (one of which used ModSecurity v1 rules instead of ModSecurity v2) and neglect to seize the offered opportunity to back up your claim by presenting numbers (like this?) doesn't help me address this part of the discussion.

• BTW, comments like this, just like your previous "hand waving" comment, are utterly unnecessary as they do not help discussion and understanding. Perception-wise they tell readers more about you than they do about me.

OK. Let's see if I can help you address some shortcomings that will impact performance:
0. I did not present a huge list of filters to use, not even the OWASP CRS, but the idea of using a single rule like 'SecRule REQUEST_URI "/w00tw00t"'. So while your emphasis on performance may have been justified in general it does not directly address my suggestion.

1. Grepping logs for "w00tw00t" after means your rules will always be out of date and incomplete (as opposed to say using a single raw table --hex-string "|2f 77 30 30 74|"?).
2. You're offering a list (novirusthanks dot org) that seems unvetted, evidenced by the fact that none of the major Linux security websites point to it. The dangers of using such lists, just like using unmaintained, uncontrolled or subjective RBL's, I don't need to point out.
3. Blocking IP addresses based on a single request makes it easy to deny clients access to the service. What's more is that since you block a /24 one only needs one address inside the subnet.
4. Blocking IP addresses based on a single request makes it easy to exhaust memory allocated for rules.
5. Your OP does not present any rule management. Without pointing that out rules, including obsoletes, will just be added which impacts performance.
6. Since linear filtering is in effect all rules must be traversed until a match is found. So dumping all your rules in the INPUT chain (conntrack?) will impact performance. (How about using the raw table, ipset, nf-hipac?).

Granted, you did ask for "Anyone care to combine all this into one great script?" and finding your precious post is getting commented on may hurt a bit, but you implying to "operate a web server with thousands of concurrent users and millions of PVs a month" makes me wonder if the script you wrote in your OP would have ever made it onto such a high-performance web server and if it did how long it would last before being ripped out because of aforementioned shotcomings. Then again you may safely dismiss all of the above as I am no security expert, just an average GNU/Linux user with a grain of common sense...

Good luck with fixing your script!

I will reply on the technical details of your post when I have more time.

On the other hand, this comment below :

The only thing that "hurts a bit" is to see your reply to have childishly rude and ugly comments, like the one above, depicting a tone which is completely unacceptable in these forums.

The only "precious post" I have in my thousands of posts here is the one called the forum rules, which you have clearly violated by deviating from a techincal discussion to a snide and ugly one.

So, this has resulted in an infraction to you.

I suggest you change your tone if you want to debate here because I will not hesitate to give you an infraction again if you continue to interleave snide, sarcastic comments in your techincal discussions, with me or anyone.

Gosh, I just wanted to have a little scripting fun... and I know next to nothing about running a high load web server.

The *net is a marvelous thing.

/Lakris

Im having problems with these fucking lammers bots. I have a dedicated server and I was having problems 2 months ago with my Internet Bandwith. I know now that I have this fucking bot:

As you said, I banned lot of IP's at httpd.conf but didnt work because IPs change. Then I was looking for info and I got that its a scanner.

Now my problem is that Im a Newbiee at Linux (using Ubuntu 8.04 at moment), and I only got a script done by other people, but It doesnt work for me cause of some parameters:

Problems are with -j and -m parameters. If someone can make 1 script for me that avoid this fucking scanner, I will be so thank.