Blocking w00tw00t scans
Some websites are still being hit with the infamous “w00tw00t” scans. You might see these scans in your logs as:
... "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 ...
Using Iptables
The quickest method of making sure it never reaches your webserver (and thus wasting resources like processor, disk space [log files], etc) is to use iptables, and it can be done with a one-liner like this:
iptables -I INPUT -d xxx.xxx.xxx.xxx -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
Simply replace xxx.xxx.xxx.xxx with the IP of your web server. If you want to use this for a range of IPs (ie., you’re using multiple IPs to host web servers), simply replace the “-d xxx.xxx.xxx.xxx” portion with:
-m iprange --dst-range start.xxx.xxx.xxx-end.xxx.xxx.xxx
where start.xxx.xxx.xxx and end.xxx.xxx.xxx are the first and last IPs of your web servers respectively.
If you wish to have a fancier option, one where it will for example blacklist an IP for a certain period, etc., have a look at SpamCle@ner’s website.
They go deeper into this subject and have provided two scripts near the end of their article. Simply save one of these scripts in a file named, for example, /opt/blockw00t.sh and make it executable with:
chmod +x /opt/blockw00t.sh
You can run it manually with typing “/opt/blockwoot.sh” in the shell or to automatically load it at boot time you can add it to your /etc/rc.local file, or on Debian/Ubuntu systems add it to your /etc/network/interfaces like so:
auto eth0
inet eth0 static
... [existing configuration that remains unaltered] ...
# Load anti-w00t script:
post-up /opt/blockw00t.sh[/cce_text]
Using Fail2Ban
If you are using Fail2Ban, like described in the Shorewall firewall configuration, you can create a new definition that scans for the w00tw00t entries in the webserver log files.
The following definition assumes your webserver log entries look like the following (Nginx and Apache 2):
203.127.11.214 - - [15/Jul/2010:15:50:04 +0200] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 173 "-" "-"
Create a file /etc/fail2ban/filter.d/webserver-w00tw00t.conf:
[Definition]
failregex = ^<HOST> .*"GET /w00tw00t.at.ISC.SANS..+:).*?"ignoreregex =
This catches the known variants of the scanner, including “DFind”, “test0”, “MSlog” and “ntsvc”.
Note: The <HOST> portion is specific to fail2ban and is a shorthand for the regex (?:::f{4,6}:)?(?P<host>S+), which matches either an IPv4 or IPv6 address. See the fail2ban manual for more details.
TIP If you wish to change the regular expression, I recommend RegExr to play with various options/search criteria. It’s a time saver and free :)
To test your definition’s regular expression, use:
fail2ban-regex logfile /etc/fail2ban/filter.d/webserver-w00tw00t.conf
Where logfile is the actual log file name, such as /var/log/apache2/access.log
.
Add this definition to the fail2ban Jail configuration (/etc/fail2ban/jail.conf)
… [existing configuration] …
[webserver-w00tw00t]
enabled = true
port = http,https
filter = webserver-w00tw00t
# !!! Keep in mind to specify the correct web server log here:
logpath = /var/log/apache2/access.log
maxretry = 1
# Time in seconds, in this case, one day:
bantime = 86400
Now reload the service (ie., “/etc/init.d/fail2ban reload” or “service fail2ban reload”).