Seen “GET /w00tw00t.isc.sans.dfind:)” 400 in your server logs?
This is a vulnerability scan.
Tired of the little wannabe 1337 teens trying to hack your server?
Try this little script I wrote to ban them as soon as they try:
I linked logfunctions in /etc/init.d and ran
update-rc.d defaults
to start at bootup
I put ban in /usr/local/bin
file logfunctions
#!/bin/bash
#
#This script is a wrapper for a number of other scripts contained inside it.
#
#Usage: $0 scriptname [parameters]
#Allowed scriptnames [parameters]:
# ban [ip] [text]
# checkiptables
# mailovh
# w00t [stop]
#error $? returned:
# 0 no errors
# 1 no scriptname passed
# 2 invalid scriptname passed
# 10 or higher:
# first value denotes executed script, last number denotes return value
# example: 17: script 1, return value 7
# example: 32: script 3, return value 2
# values higher than 99:
# example: 154: script 15, return value 4
# 10: ban: no errors
# 11: ban: no IP passed
# 12: ban: whitelisted IP passed
# 13: ban: localhost|127.0.0.1 passed
# 14: ban: new IP found to ban
# 17: ban: IP is already banned
# 20: checkiptables: no errors
# 21: checkiptables: unable to delete $OUTFILE
# 22: checkiptables: IPs are still being banned
# 23: checkiptables: no IPs are being banned
# 40: w00t: no errors
# 41: w00t: shutdown running process
#100+: exited out of case without exiting the script - unhandled exit, remove 100 to get the actual code
#systemwide variables:
BANLENGTH="1 week"
BANEND=`date +%s --date="$BANLENGTH"`
D=`date`
DS=`date +%s`
DT=`date +%T`
OVHALL="/var/log/ovh_all.log"
OVHLOG="/var/log/ovh.log"
WWWBANNEDIPS="/var/www/bannedips.txt"
CURRENTBANNEDIPS="/etc/banlist"
OUTFILE="$CURRENTBANNEDIPS"+".tmp"
MONITOR="/var/log/apache2/access.log" #inside the "" add any files you wish to monitor eg /var/log/syslog
WATCHARRAY=(
"//skin/ggambo6200_board/error\.php?"
"\"GET //[Pp]hp[Mm]y[Aa]dmin//scripts/setup\.php HTTP/1\.1\""
"\"GET //pma/"
"\"GET /pma/"
"\"GET /w00t.* HTTP/1\.1\" 400 [0-9]* \".*\" \".*\""
"Toata dragostea mea pentru diavola"
)
WATCHLIST=${WATCHARRAY[0]}
for element in $(seq 1 $((${#WATCHARRAY[@]} - 1))); do
if [ "$element" != "" ]; then
WATCHLIST="$WATCHLIST|${WATCHARRAY[$element]}"
fi
done
WOOTLOCK="/var/lock/w00t.lock"
SERVERIP="example.com (127.0.0.1)" #insert your server name and IP here
FROMMAIL="exploits@example.com (example.com monitor)" # insert your email address here
WHITELIST="127.0.0.1" # insert a list of whitelisted (non-bannable) IPs here, separated by ' '
#program paths, change toi suit your individual system
GREP="/bin/egrep" # egrep must be egrep, not grep
CAT="/bin/cat"
WHOIS="/usr/bin/whois"
ECHO="/bin/echo"
IPTABLES="/sbin/iptables"
WC="/usr/bin/wc"
AWK="/usr/bin/awk"
CUT="/usr/bin/cut"
CP="/bin/cp"
RM="/bin/rm"
MV="/bin/mv"
TAIL="/usr/bin/tail"
PS="/bin/ps"
SENDMAIL="/usr/sbin/sendmail"
KILL="/bin/kill"
#Main script start
if [ "$#" -lt 1 ]; then
#no scriptname passed
$ECHO "$0 scriptname [parameters]"
RETVAL=1
exit $RETVAL
fi
case "$1" in
'ban')
RETVAL=10
if [ "$2" == "" ]; then
$ECHO $0 $1 IP
$ECHO eg: $0 $1 11.22.33.44
let RETVAL+=1
exit $RETVAL
fi
IP=$2
LINE=$3
#echo "BANCHECK $# 1:$1 2:$IP 3:$3"
if [ "`$ECHO $WHITELIST | $GREP $IP | $WC -l`" -ne 0 ]; then
let RETVAL+=2
exit $RETVAL
fi
if [[ "$IP" == "127.0.0.1" || "$IP" == "localhost" ]]; then
let RETVAL+=3
exit $RETVAL
fi
if [ "`$GREP "$IP" $CURRENTBANNEDIPS | $WC -l`" == "0" ]; then
$ECHO -ne "\n$DT:IP \"$IP\" not found, banning IP \"$IP\" for $BANLENGTH\n"
$ECHO "$BANEND $IP" >> $CURRENTBANNEDIPS
$IPTABLES -A INPUT -s $IP -j DROP
$ECHO $BANEND $IP $LINE >> $WWWBANNEDIPS
let RETVAL+=4
else
let RETVAL+=7
$ECHO -ne "D"
fi
exit $RETVAL
;;
'checkiptables')
RETVAL=20
if [ -e $OUTFILE ]; then
rm $OUTFILE
if [ -e $OUTFILE ]; then
let RETVAL+=1
exit $RETVAL
fi
fi
if [ -f $CURRENTBANNEDIPS ]; then
DH=$(( $DS-3600 ))
$CAT $CURRENTBANNEDIPS | while read line; do
DA=`$ECHO $line | $AWK '{ print $1 }'`
DAO=$(( $DA-604800 ))
IP=`$ECHO $line | $CUT -f2- -d' '`
$ECHO "Checking $IP"
$IPTABLES -D INPUT -s "$IP" -j DROP
$ECHO `date -d "1970-01-01 $DAO sec"`
if [ $DS -ge $DA ]; then
# delete rule
$ECHO "IP $IP released from iptables drop"
else
if [ $DAO -gt $DH ]; then
$ECHO "New IP $IP added in the last hour"
else
$ECHO "IP $IP remains banned from this server"
fi
# ban ip
$ECHO $line>>$OUTFILE
$IPTABLES -A INPUT -s "$IP" -j DROP
fi
done
if [ -e "$OUTFILE" ]; then
$MV -f "$OUTFILE" "$CURRENTBANNEDIPS"
let RETVAL+=2
else
$RM "$CURRENTBANNEDIPS"
let RETVAL+=3
fi
fi
exit $RETVAL
;;
'w00t')
RETVAL=40
if [ -e "$WOOTLOCK" ]; then
#w00t may already be running, terminate process
ls "$WOOTLOCK"
line=`$CAT "$WOOTLOCK"`
if [ "$line" != "" ]; then
$KILL -9 "$line" >> /dev/nul
$RM $WOOTLOCK
fi
fi
if [ "$2" == "stop" ]; then
let RETVAL+=1
exit $RETVAL
fi
PID=0
$TAIL -n +1 -f "$MONITOR" | $GREP --line-buffered "$WATCHLIST" | while read line; do
IP=$( $ECHO $line | $AWK '{ print $1 }' )
$0 ban "$IP" "$line"
if [ "$PID" == "0" ]; then
PID=`$PS au | $GREP "$TAIL -n +1 -f $MONITOR" | $AWK '{ print $2 }'`
$ECHO $PID | $AWK '{ print $1 }' > "$WOOTLOCK"
fi
done
exit $RETVAL
;;
*)
#no scriptname passed
$ECHO "$0 scriptname [parameters]"
RETVAL=2
exit $RETVAL
;;
esac
# In theory we should never get this far
let RETVAL+=100
exit $RETVAL
Feel free to expand the script but please consider sending me any updates
The following is unaffiliated with labby.co.uk
Incoming search terms for the article:
Related Posts:
Posted by Gregory
0 comments
Posts Feed
