Flash Mob gone wrong

11.11.2010 by Arnd

veroeffentlicht in internet | No Comments »

howto block w00tw00t.isc.sans.dfind:) and other scans using iptables

29.09.2010 by Arnd

Lately I recognized the increase of scans for some certain paths resp. not closed connections from user agents containing strings like “w00t.isc.sans.Dfind:)” and variations thereof. The source of these strings were from dialup ip adresses but also from some probably hacked fixed server ip adresses. To get rid of these scans I whipped up a shellscript which scans the apachelogs and utilizes iptables to block these ip adresses. The script assumes there are no installations of phpmyadmin or other server management software in a standard path. A responsible acting admin should’t use this kind of thing on openly accessible production servers anyway methinks ;)

A timedriven version is in the works, but I’m lacking the time to implement this ATM.

A useful debug output should be generated if one comments in the part below the

###debug###

staments.

I strongly recommend to start some dryruns before implementing it via cronjob and to comment out the HOT part like this:


#${IPTABLESPATH} -I INPUT -s "$ip" -j LOG --log-level 4 --log-prefix '** HACKERS **';
#${IPTABLESPATH} -I INPUT -s "$ip" -j DROP;
#${IPTABLESPATH} -I OUTPUT -s "$ip" -j DROP;

One should put


MAILTO='someaddress@somedomain.com'
PATH=/usr/sbin:/usr/bin:/sbin:/bin

on top of root’s crontab so that iptables is found via the “which” statement and one gets errors via email.

I recommend to put ip’s of other servers or Ur current ip in the whitelist “if statement”
-> got some headaches when /me locked out my then dialup ip of netzturbine while testing :(

And as always: Use at your own risk + THINK/understand 1st what this is about and THEN implement it.

nuff said – here is the script.


#! /bin/bash
############################################################################################################################
# badstrings ban script
# version 0.3beta
# by arnd@netzturbine.de (https://identi.ca/netzturbine) and THEOTHERGUYOFNETZTURBINE
# parses the apache logs for banstrings and greps latest attacker ips from accesslogs and errorlogs
# loads list w/o doubles into iptables
# a time releveant component needs to be implemented
# !!!Handle w/ care whitelisting of ip’s is very necessary (i.e another server to keep access if locked out from own ip)!!!
############################################################################################################################

#devel path
#cd ~/Documents/devel/ip_blocker/;

#use on live systems directory must exist and contain this script
cd /root/bin/ip_block/;

###debug####
#pwd;

#set system type
#could be suse or non-suse
#if suse use SuSEfirewall2 scripts on top of this
system="suse"

#check if iptables is installed and found otherwise exit
IPTABLESPATH=$(which iptables);
if [ $? == "1" ]
then
echo "iptables not found";
exit;
fi

#set logformat
# if it is vhost 2nd ip ist to block if it is common 1st ip is to block
# check log_format.conf for possible values
# check somevhost.conf for used format
LOGFORMAT="vhost"

#set logpath
LOGPATH="/var/log/apache2/";

#Declare accesslogs array
#if multiple accesslogs are used put them with blanks like
# ACCESSLOGS=( ${LOGPATH}access_log ${LOGPATH}other_access_log);
ACCESSLOGS=( ${LOGPATH}access_log;

#Declare errorlogs array
#if multiple errorlogs are used put them with blanks
ERRORLOGS=( ${LOGPATH}error_log );

#declare banstringsarray
#be careful all requests containing these strings !!!case insensitive!!! AND throwing error 404 in access logs or showing up in error log are blocked except whitelisted ip's
BANSTRINGS=( 'w00t' 'phpmy' 'mysql' 'script' 'attacker' );

#resetting logs
# no better way to keep bans low until timestamps are implemented
# bears risk of being scanned by same host again
# comment in if users are mostly on dialup hosts
# logrotate should be on daily basis
#rm ./ban*;

# get number of elements in arrays

ACCESSLOGSNUMBER=${#ACCESSLOGS[@]}
###debug####
#echo "ACCESSLOGSNUMBER: ${ACCESSLOGSNUMBER}";
ERRORLOGSNUMBER=${#ERRORLOGS[@]}
###debug####
#echo "ERRORLOGSNUMBER: ${ERRORLOGSNUMBER}";
BANSTRINGSNUMBER=${#BANSTRINGS[@]}
###debug####
#echo "BANSTRINGSNUMBER: ${BANSTRINGSNUMBER}";

#parsing access logs looking for 404 errors and ${BANSTRINGS} to keep correct requests

i=0;
# outer loop through logs
while [ ${i} -lt ${ACCESSLOGSNUMBER} ]
do
###debug####
#echo "parsing log: "${ACCESSLOGS[${i}]};
#inner loop through banstrings
j=0;
while [ ${j} -lt ${BANSTRINGSNUMBER} ]
do
###debug####
#echo "No ${j} string to ban: ${BANSTRINGS[${j}]}";
#if logformat is vhost 2nd ip is attacker
if [ "${LOGFORMAT}" == "vhost" ]
then
#creating list - printing 2nd column - logformmat vhost - sorting w/ uniqueness
less ${ACCESSLOGS[${i}]} | grep 404 | grep -i ${BANSTRINGS[${j}]}.* | awk '{ print $2 '} | sort -u >> ./ban_latest_list;
else
#creating list - printing 1st column - Log format common - sorting w/ uniqueness
less ${ACCESSLOGS[${i}]} | grep 404 | grep -i ${BANSTRINGS[${j}]}.* | awk '{ print $1 '} | sort -u >> ./ban_latest_list;
fi
j=$[${j}+1];
done
#increment
i=$[${i}+1];
done

#parsing error logs
#creating list from error logs
i=0;
# outer loop through logs
while [ ${i} -lt ${ERRORLOGSNUMBER} ]
do
###debug####
#echo "parsing log: "${ERRORLOGS[${i}]};
#inner loop through banstrings
j=0;
while [ ${j} -lt ${BANSTRINGSNUMBER} ]
do
less ${ERRORLOGS[${i}]} | grep -i ${BANSTRINGS[${j}]}.* | awk '{ print $8 '} | sort -u | sed 's/]//g' >> ./ban_latest_list;
j=$[${j}+1];
done
#increment
i=$[${i}+1];
done

#merge lists
less ./ban_latest_list > ./ban_tmp_list;
less ./ban_list >> ./ban_tmp_list;
#create final list keep ip's unique
less ./ban_tmp_list | sort -u > ./ban_list_unique;
#remove empty lines
sed '/^$/d' ./ban_list_unique > ./ban_list;

#flushing firewall
if [ "${system}" == "suse" ]
then
###debug####
#echo "suse";
/sbin/SuSEfirewall2 stop 2>&1 > /dev/null;
/sbin/SuSEfirewall2 start 2>&1 > /dev/null;
else
###debug####
#echo "non-suse";
${IPTABLESPATH} -F;
${IPTABLESPATH} -X;
${IPTABLESPATH} -t nat -F;
${IPTABLESPATH} -t nat -X;
${IPTABLESPATH} -t mangle -F;
${IPTABLESPATH} -t mangle -X;
${IPTABLESPATH} -P INPUT ACCEPT;
${IPTABLESPATH} -P FORWARD ACCEPT;
${IPTABLESPATH} -P OUTPUT ACCEPT;
fi

#load list of blocked ip's
for ip in $(< ./ban_list);
do
#keep whitelisted hosts even if they give a false error + filter some strings falsely returned like "-" OR "PHP"
#ip’s put in if statement are NOT blocked whatever happens
if [ "${ip}" == "" ] || [ "${ip}" == "" ] || [ "${ip}" == "" ] \
|| [ "${ip}" == "-" ] || [ "${ip}" == "PHP" ] || [ "${ip}" == "file" ]
then
###debug####
#echo "${ip} whitelisted - do nothing";
continue;
else
###debug####
#echo "need to block attacker ${ip}";
${IPTABLESPATH} -I INPUT -s "$ip" -j LOG --log-level 4 --log-prefix '** HACKERS **';
${IPTABLESPATH} -I INPUT -s "$ip" -j DROP;
${IPTABLESPATH} -I OUTPUT -s "$ip" -j DROP;
fi
done

###debug####
#less ./ban_list;

The whole thingy does not substitute an apache modescurity application firewall but is more a crude implementation.
So long
Arnd

Tags: linux, security, privacy, webserver
veroeffentlicht in admin | 1 Comment »

Exhibition – Jost Völkers “inseilastinonen”

22.09.2010 by Arnd

I am really exited about Josts exhibition

there will be some objects of Bernd “octopuzzle” Meinen too and Dirk “Drock” Marham will deliver some nice audio wallpapers. Hope to see you at the vernissage at 23.10.2010 starting at 19:00.

so long
arnd

Tags: art, art, vernissage
veroeffentlicht in art | 1 Comment »

Sven Dohse opener(?) bei der #antiakw demo auf der Hauptbühne

21.09.2010 by Arnd

really love that tune

Tags: music, video
veroeffentlicht in music | No Comments »

zensursula – german internet rises against censorship and does epetition Bundestag

8.05.2009 by Arnd

in the last days my international followers probably recognized the hashtags #zensursula and #epetition in my µblog messages and me sending in krautlanguage a lot and talking about a magic 50000. I will try to explain why/what this is about.

#zensursula

German family secretary Usula von der Leyen has a mission. She wants to get all child pornographic content out of the internet. A mission which I do principially second, because I do hate all this stuff, like every sane person does. Unfortunately the intended means of getting the stuff out of the net are, put mildly, not very tech savvy and do have the odour of censorship. Especially in the light of other politicians (elections ahead!) suggesting now more things which are worth to be filtered, not only child pr0n. Who would have honestly expected something else ;)

The german word for censorship is zensur in combination with Frau von der Leyens Firstname Ursula it mashes up to #zensur-usula.

so the hashtag was born.

#epetition

German Bundestag decided 2005 to give the german citizens the possibility to petition german Bundestags petition comission online. A server (which was not very much publicized) was setup (not very reliable btw) to enable these epetitions including forums to discuss them. If such an epetition gets 50000 supporters in 6 weeks it has to be discussed in public before the Petitionsausschuss des Bundestages.

This server led a quite life without much traffic for several years, until lately another epetition raised a lot of awareness for it. This awareness was a good stresstest failed terrificly by the server. One can muse about a government putting one’s taxmoney into a server which is not able to handle more then round about 10-18 votes max A MINUTE for some 85 million people in germany. Tactics or incompetence? A combination of both I fear.

Tactics or incompetence is the question again, when it comes to the measures planned by the german govt. to get the content out.

1. All german isp’s shall filter based on the domains (dns) and show a stop sign if illegal content is requested. Furthermore there should be a protocol of showed stop signs and if one gets too many stop signs police will come by and have a chat with the alleged child pornographer (no wait, haven’t there been mentions to filter more, not only child porn?).

2. The filter List is compiled by german BKA (as a german I shudder anyways by centralized police work, we had that already, too often) on a daily basis and send to the isp’s who are oligated to feed it to their nameservers, which will block the sites and report to BKA.

Till here not that much to complain about, except politicians wanting to filter everything which they do not understand or like, one could think. But now it gets dicey. There will be no judge or independent party involved in the decision process what domain belongs to this list. The list will be kept secret (except for some policemen). This smells like censorship preparations, big time.
Just imagine a policeman putting “by error“ a specific domain on a specific day on the list, claiming afterwards it was by accident, whatever.

The discussion broke loose on the very first day of this law proposal. twitter + identi.ca were like always fast reacting realtime medium with youtube (how do I use opendns in 27 seconds) and blogs in the wake with longer articles about the matter.

One can follow mitzeichner or zensurla to get informed about the number of signers of the petition (numbers are international).

The good news:

It cracked the 50000 goal (I am number 984 btw) and rises. Hopefully to a 6 digit value until the 16th of June, which is vote closing time (dreaming abt. 7 digits,though, but even IF ppl wanted, the server probably won’t be able to process it in time).

It is a big buzz now on the news. German internet is rising against #zensursula and activating all other contacts. I am part of it, and so are many others. T-shirts are printed, I spammed my adressbook/facebook/skype like thousand others did.

The bad news:
The law will come. There are elections, so poulism counts.

Hope I could shed some light on the strange hashtags + krautcontent I was producing lately.
Unfortunately most of the links are german, but here is a list of IMHO further important ones.

lego movie
zensursula t-shirt
statistics

Good compilation of links + stuff @ fixmbr

[UPDATE]
Just to make it crystal clear again I DO DESPISE CHILD PORN! I want to have this shit out of the net, too.

the above is because german politicians don’t get it and call me “uncivilized” because I am (in their opinion coz I do not like their cool law) against getting it out the net.

so long
happy censorfree surfing
arnd

Tags: bundestag, privacy, zensursula
veroeffentlicht in internet | No Comments »

css naked day – what happened to the design?

8.04.2009 by Arnd

To know more about why styles are disabled on this website visit the

Annual CSS Naked Day website for more information.

veroeffentlicht in internet | No Comments »

(Deutsch) twitterverse – microblogging – social media

1.02.2009 by Arnd

Sorry, this entry is only available in Deutsch.

Tags: blogging, twitter, twitterverse
veroeffentlicht in internet | 1 Comment »

(Deutsch) Plesk 9.0 update bei SuSE 10.2 rootie – Epic fail

15.12.2008 by Arnd

Sorry, this entry is only available in Deutsch.

Tags: linux, plesk
veroeffentlicht in admin | No Comments »

(Deutsch) Firefox 3.0.3 nervigen refresh Hinweis ausschalten

6.10.2008 by Arnd

Sorry, this entry is only available in Deutsch.

Tags: firefox, software
veroeffentlicht in browser | No Comments »

(Deutsch) Google chrome datenkrake per WordPress plugin blocken

7.09.2008 by Arnd

Sorry, this entry is only available in Deutsch.

Tags: plugin, wordpress
veroeffentlicht in blog, privacy | 2 Comments »

« aeltere Eintraege
should be invisible