You are here: Home / Debian GNU/Linux / System / Security / Block the vulnerability scanner DFind

Block the vulnerability scanner DFind

by Pierre-Yves Landuré last modified Jun 30, 2014 09:46

The vulnerability scanner DFind is the source of "w00tw00t.at.ISC.SANS.DFind" lines showing in Apache 2 logs. This howto install a set of iptables rules blocking those requests.

This howto is tested on :

  • Debian 6.0 Squeeze

Installation

Block DFind (W00tW00t) requests

Add the iptables rules to the system startup :

command wget 'http://howto.biapy.com/fr/debian-gnu-linux/systeme/securite/bloquer-le-scanner-de-vulnerabilites-dfind/00-iptables-no-woot/at_download/file' \
    --output-document='/etc/network/if-up.d/00-iptables-no-woot'
command chmod +x '/etc/network/if-up.d/00-iptables-no-woot'

Load the rules :

command bash '/etc/network/if-up.d/00-iptables-no-woot'

Ideally, completely reset the iptables configuration. This can be done by a reboot.

Block the HTTP requests with IP address as host name

Blocking "http://xx.xx.xx.xx/" requests, where  xx.xx.xx.xx is the server IP address, blocks most vulnerability scanners.

Provide the protected network device name :

NET_DEV="eth0"

Fetch the public IP address of the HTTP server (or type it manually, according to the network device) :

PUBLIC_IP=$(command wget --quiet http://www.monip.org/ -O- \
    | command grep "IP :" \
    | command cut --characters=-80 \
    | command sed -e 's/^.* \(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*$/\1/')

Convert it to hexadecimal :

HEX_IP="$(command echo -n "Host: ${PUBLIC_IP}" \
    | command od -An -tx1 -w250)"

Fetch the IP address of the network device :

NET_IP="$(command ifconfig "${NET_DEV}" \
    | command grep 'inet ' \
    | command sed -e 's/^.*inet [^:]*:\([^ ]*\) .*$/\1/')"

Create the iptables rule blocking the HTTP requests for this IP address :

PROPER_IP=$(command echo "${PUBLIC_IP}" | command tr '.' '-')
NOSPACE_HEX_IP=$(command echo ${HEX_IP} | command sed -e 's/ //g')
command echo "#"\!"/bin/bash
if [ -z \"\$(command iptables -L INPUT | command grep '${NOSPACE_HEX_IP}')\" ]; then
  command iptables -I INPUT -d ${NET_IP} -p tcp --dport 80 -m string --to 700 \\
    --algo bm --hex-string '|0d 0a${HEX_IP} 0d 0a|' -j DROP
fi" > "/etc/network/if-up.d/01-iptables-block-${PROPER_IP}"
command chmod +x "/etc/network/if-up.d/01-iptables-block-${PROPER_IP}"

Load the rule :

command bash "/etc/network/if-up.d/01-iptables-block-${PROPER_IP}"

Thanks

Comments (0)