Fail2ban filter and ban DFind scans (w00tw00t.at.ISC.SANS.DFind)

Posted: 14/02/2012 in Fail2ban
Tags: ,

Some websites are still being hit with the infamous “w00tw00t” scans. You might see these scans in your logs as:

... "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 ...

I use fail2ban to get rid of these

pico /etc/fail2ban/filter.d/apache-w00tw00t.conf

# Get rid of w00tw00t scans
[Definition]
# Option: failregex
# Notes.: regex to match the w00tw00t scan messages in the logfile.
# Values: TEXT
failregex = ^.*\[client \].*w00tw00t\.at\.ISC\.SANS\.DFind.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

pico /etc/fail2ban/jail.local

[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables-allports
logpath = /var/log/apache*/*error.log
maxretry = 1

Then restart fail2ban

/etc/init.d/fail2ban restart

Advertisements
Comments
  1. Robin says:

    Thanks! Very helpful. I got hit with a load of these.

  2. […] like fail2ban to monitor your logs and then firewall off the offenders IP address, and there are filters out there to do […]

  3. Purrifius says:

    Client isn’t known (anymore)
    Update it to : failregex = ^ .*”GET /w00tw00t.at.ISC.SANS..+:).*?”
    and all will work fine again.

  4. Purrifius says:

    Disregard the above one.
    This should be the correct failregex for it to work fine :

    failregex = ^.*\[client \].*w00tw00t\.at\.ISC\.SANS\.DFind.*

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s