Wednesday, August 19, 2009

w00tw00t.at.ISC.SANS.DFind - How to block bad IPs in Linux

SkyHi @ Wednesday, August 19, 2009
w00tw00t.at.ISC.SANS.DFind - How to block bad IPs in Linux

If you have a web server, you will have surely encountered the following strings in your error.log or access.log file:
[Sun Apr 05 08:07:31 2009] [error] [client 85.14.221.235] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Apr 05 08:08:05 2009] [error] [client 87.106.47.235] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Apr 05 08:13:26 2009] [error] [client 85.14.221.235] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Apr 05 08:19:21 2009] [error] [client 85.14.221.235] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Apr 05 08:25:16 2009] [error] [client 85.14.221.235] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Apr 05 08:27:47 2009] [error] [client 87.106.47.235] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Apr 05 08:31:12 2009] [error] [client 85.14.221.235] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Apr 05 08:37:07 2009] [error] [client 217.65.100.89] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

The malicious string is /w00tw00t.at.ISC.SANS.DFind:) but I found other variations in the log files:
/w00tw00t.at.ISC.SANS.DFind:)
/w00tw00t.at.ISC.SANS.DFind
/w00tw00t.at.ISC.SANS
/w00tw00t.at.ISC.SANS.DFind:)

The above strings were generated by a Web Vulnerability Scanner named DFind:

DFind Screenshot

DFind is a tool that scans your server (and a range of IPs) with the intent to find possible vulnerability. We have added a service named DFind Logs that keeps track of all the IP Address that try to scan our server. You can download the full list of IPs (Linux compatible) from this link:
Complete IP List

Some tips on how to block an IP with IPTABLES in Linux:

+ How can I block an IP Address with IPTABLES ?

Use the above command to block any IP Address :
IPTABLES -I INPUT -s IP_ADDRESS_GOES_HERE -j DROP
IPTABLES -I OUTPUT -s IP_ADDRESS_GOES_HERE -j DROP

+ How can I unblock an IP Address from IPTABLES ?

Use the above command to unblock a specific IP Address :
IPTABLES -D INPUT -s IP_ADDRESS_GOES_HERE -j DROP

+ How can I block a list of IP Address with IPTABLES ?

Create a file named blacklisted.list and write inside all the bad IPs in the format: each IP on every line. Create a second file named
ipblocker.sh with the above content:
#!/bin/sh
for ip in $(< blacklisted.list); do
IPTABLES -I INPUT -s “$ip” -j DROP
IPTABLES -I OUTPUT -s “$ip” -j DROP
done

Give to the file +x permission (chmod +x ipblocker.sh) and copy this file in the same folder where is located blacklisted.list. Now to block all the IPs present in the blacklisted.list simply start the bash script with this command:
./ipblocker.sh

+ How can I block an IP Address with hosts.deny ?

Find and edit this file:
/etc/hosts.deny

Add this line:
ALL:IP_ADDRESS_GOES_HERE

+ How can I download and block the IPs present in your list ?

Follow these steps:

Download and rename the ip list:
wget http://www.novirusthanks.org/dfind-logs/ip-list;mv ip-list w00tw00t_list

+ Option 1: Block IPs with IPTABLES

Create a file named w00tw00t_block.sh and add the following code:
#!/bin/sh
for ip in $(< w00tw00t_list); do
IPTABLES -I INPUT -s "$ip" -j DROP
IPTABLES -I OUTPUT -s "$ip" -j DROP
done

Give to the file +x permission (chmod +x w00tw00t_block.sh) and run it with this command:
./w00tw00t_block.sh

Now type this command to see if the ad IPs are listed in the IPTABLES:
IPTABLES -L

+ Option 2: Block IPs with hosts.deny

Create a file named w00tw00t_deny.sh and add the following code:
#!/bin/bash
for ip in $(< w00tw00t_list); do
let n=`grep -c $ip /etc/hosts.deny`
if [ $n -eq 0 ]; then
echo "ALL:$ip" >> /etc/hosts.deny
fi
done

The above script will add every IP Address present in the blacklist into the hosts.deny (duplicates are not added). To start the script download the ip-list with wget, type chmod +x w00tw00t_deny.sh and start the script:
./w00tw00t_deny.sh

Reference: http://novirusthanks.org/blog/2009/05/w00tw00tatiscsansdfind-how-to-block-bad-ips-in-linux/