Some websites are still being hit with the infamous “w00tw00t” scans. You might see these scans in your logs as:
... "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 ...
Using Iptables
The quickest method of making sure it never reaches your webserver (and thus wasting resources like processor, disk space [log files], etc) is to use iptables, and it can be done with a one-liner like this:
iptables -I INPUT -d xxx.xxx.xxx.xxx -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
Simply replace xxx.xxx.xxx.xxx with the IP of your web server. If you want to use this for a range of IPs (ie., you’re using multiple IPs to host web servers), simply replace the “-d xxx.xxx.xxx.xxx” portion with:
-m iprange --dst-range start.xxx.xxx.xxx-end.xxx.xxx.xxx
where start.xxx.xxx.xxx and end.xxx.xxx.xxx are the first and last IPs of your web servers respectively. View Full Article »
It looks like I have neglected to write a new article in quite a while! Shame on me. But, thanks to a website outage, I’ve finally got some more good stuff to share with you.
My previous Nginx configuration became a nightmare to maintain and WordPress had become slower because Apache’s children were being killed by OOM. This was due to a misguided PHP cache (PHP XCache to be precise) that decided to take every available bit of memory from my system, despite having max-requests per child set low (before it was purged).
This, along with my endeavors in seeking the fastest solution to everything and the introduction of a new Cloud servers by OVH, lead me to today’s article. View Full Article »
Last year I wrote a guide on how to use Shorewall as a firewall and router for Proxmox. As a follow up I will answer a few questions I’ve received about that guide that can help you extend its use.
Proxy ARP
The most common question is in regards to proxy ARP. Enabling this option will allow you to assign a public IP directly to your guest VM, eliminating the need for port forwarding (DNAT) or having to worry about the MAC address.
As an example use for proxy ARP, it is helpful for those using a a SIP-based VoIP server since a STUN server is no longer required. View Full Article »
A while ago my blog started to act up by randomly showing translated pages in place of the desired language. The culprit was a WordPress caching plugin (Hyper Cache) that started to misbehave with the latest upgrade. I promptly disabled it and went on a search for a replacement.
As you may have read in one of my previous blog entries, specifically “NginX and Apache, but no memcached”, I prefer to use NginX as the front-end serving static files, and Apache as a back-end dealing with the dynamic pages. So it would be ideal if NginX could serve up static WordPress files, which is exactly what I am doing now with the help of WP Super Cache. View Full Article »
A few days ago I posted a short blog about DNS performance benchmarking by Google using namebench. After the rather surprising results, I decided to replace the primary upstream DNS server with OpenDNS.
Once I had run the namebench too again, the results were showing a huge leap in performance. But strikingly, BT’s DNS servers were still faster than my own local servers. Jonathan, the resident monkey, also commented about this based on his own tests. It seems that there might be something amiss with the namebench tool (and I shall dutifully point this out to Google, to see what they have to say). View Full Article »
