Command Center

HowFlow — here i explain my solution to ban a host that scans my system with dfind/w00tw00t. this solution requires a preinstalled fail2ban.

Share it! Posted by Avatar idl0r about 1 year ago
View Profile

Add to: submit 'block w00tw00t scan-hosts with fail2ban' to del.icio.us submit 'block w00tw00t scan-hosts with fail2ban' to digg

NOTE: since fail2ban >=0.8.1 there is allready a the action file ’/etc/fail2ban/action.d/iptables-allports.conf’.
if you use a version >=0.8.1 you can skip point 1 and 2 and continue with 3.

You must create two new files in /etc/fail2ban.

1. create /etc/fail2ban/action.d/iptables-allports.conf

2. insert the text below



# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko
# made active on all ports from original iptables.conf
#
# $Revision: 658 $
#

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-
iptables -A fail2ban- -j RETURN
iptables -I INPUT -p -j fail2ban-

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D INPUT -p -j fail2ban-
iptables -F fail2ban-
iptables -X fail2ban-

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
# number of failures
# unix timestamp of the ban time
# Values: CMD
#
actionban = iptables -I fail2ban- 1 -s -j DROP

# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
# number of failures
# unix timestamp of the ban time
# Values: CMD
#
actionunban = iptables -D fail2ban- -s -j DROP

[Init]

# Defaut name of the chain
#
name = default

# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = all


3. create /etc/fail2ban/filter.d/apache-w00tw00t.conf

4. insert the text below (NOTE: maybe you must change the regex if you have a other logformat! you can test your regex with fail2ban-regex )



# - - [29/Apr/2008:22:54:08 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 326

[Definition]

# Option: failregex
# Notes.: regex to match the w00tw00t scan messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching.
# Values: TEXT
failregex = ^ -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT

ignoreregex =


5. edit your /etc/fail2ban/jail.conf and insert the text below to the end of file or wherever you want.



[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables-allports[name=w00tw00t]
mail-whois[name=w00tw00t, dest=]
logpath = /var/log/apache2/access_log
maxretry = 1
bantime = 86400


6. restart your fail2ban and wait for new mail :D

Reference: http://howflow.com/tricks/block_w00tw00t_scan_hosts_with_fail2ban

http://www.majorxtrem.be/2009/04/30/bloquer-les-attaques-de-type-w00tw00tatiscsans-sur-apache2/