Tuesday, August 06, 2013

HTTP logs – w00tw00t.at.ISC.SANS.print or DFind


If you have some server and get lines like:

client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)


in your logs, do not ignore it. They try to capture your server.

There are a lot of discussions about this log message. Often it is said, that you can ignore these things. Do not ignore this!

A friend’s server was hacked with the help of the used scanner. The server run a recent SUSE – with all updates installed. They managed to use a security hole in apache2 and executed some male-software on his server.

Checked also my server; had similar logs. Looked around and found a nice little tool called fail2ban: it checks out the log files and if it find something nasty it blocks all IP traffic coming from the attacker for some time.

The additional configuration files were needed to get it up and running for these needs. fail2ban-w00t00.tar contains these files.

Currently it’s working well: each scanner has mostly one shot. After this, the IP is blocked. Example:

2010-07-01 23:35:12,774 fail2ban.actions: WARNING [apache-w00t] Ban 217.172.179.27
2010-07-01 23:35:12,774 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-apache-w00t
2010-07-01 23:35:12,784 fail2ban.actions.action: DEBUG iptables -n -L INPUT | grep -q fail2ban-apache-w00t returned successfully
2010-07-01 23:35:12,784 fail2ban.actions.action: DEBUG iptables -I fail2ban-apache-w00t 1 -s 217.172.179.27 -j DROP
2010-07-01 23:35:12,790 fail2ban.actions.action: DEBUG iptables -I fail2ban-apache-w00t 1 -s 217.172.179.27 -j DROP returned successfully


IMPORTANT NOTE: Enable fail2ban only reduces the possibility of a successful attack. If there is old or problematic software on your computer you will get hacked!

Some hints:

Never use passwords. If possible use ssh keys for ssh access.
Disable everything you don’t need; especially ftp.
Ever, ever update all software to the newest available version – especially when there are security updates.

Installation of fail2ban only decreases the possibility of getting hacked.

Conclusion: You are hacked – lucky you if you know about.

To download fail2ban:

fail2ban

The configuration files:
fail2ban-w00t00.tar.gz

To config:
Fail2ban configuration

Article source: http://outer-rim.gnu4u.org/?p=148

No comments: