Cleaning up your web server logfiles. [fr]

If you are, like me, maintaining a public web server, you might have encountered logfile entries similar to that:

0.0.0.0 - - [19/Apr/2009:01:46:16 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 358 "-" "-"
0.0.0.0 - - [19/Apr/2009:01:52:20 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 358 "-" "-"
0.0.0.0 - - [19/Apr/2009:01:58:23 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 358 "-" "-"

This is the result of a braindead scanner. It cause no real harm, but it is very annoying and pollute your logs with pointless requests.

This is an easy one with iptables:

# Get my IPv4 address
MYIP=$(hostname -i)
# Build the LOGDROP target: log the bad packet before sending it into oblivion
iptables -X LOGDROP # Delete then recreate
iptables -N LOGDROP
iptables -A LOGDROP -j LOG
iptables -A LOGDROP -j DROP
# w00tw00t get out !!
iptables -I INPUT -d $MYIP -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j LOGDROP

Something else you can add to block other random bots:

# anti-scanner
iptables -I INPUT -d $MYIP -p tcp --dport 80 -m string --to 700 --algo bm --string "Host: $MYIP" -j LOGDROP

Why ??
Because a regular web browser will always set the ‘Host:’ entry in the request header with a valid hostname. Zombies tend to generate an IP address at random and put it into the ‘Host:’ entry, hoping for the best.

With that setup, any bad packet will be sent to the system log. If something breaks, you will have a place to start looking.

Thank you: http://spamcleaner.org/fr/misc/w00tw00t.html

Tags: , , ,

Leave a Reply