Block the DFind scanner

Dfind is a vulnerability scanner, and a very pain in the *** one, as it will pollute your apache log with lines such as this:

84.145.78.74 [16 / Oct / 2008: 18: 12: 34] "GET /w00tw00t.at.ISC.SANS.DFind :) HTTP / 1.1" 400

How to get rid of this junk ?
The apache return code is 400, which implies that the query syntax is invalid. Looking in the logs we see this:

client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23)

As the request is invalid, it’s useless to try to block it with a rewrite rule or a mod_security pattern.

The best solution is to block it before the HTTP server using iptables, like that:

iptables -I INPUT -d -p tcp -dport 80 -m string -to 70 -algo bm -string 'GET /w00tw00t.at.ISC.SANS.' -j DROP

Restore a machine from a backup

It is very easy under GNU/Linux to restore a system from a full rsync backup. Just follow this procedure:

  • Boot on a liveCD
  • In case of hard-drive change, partition the new HDD using parted
  • Create a temporary directory and mount the root partition of you HDD inside (/dev/sdb1 in this example):
mkdir /mnt/root_hdd
mount -t ext3 /dev/sdb1 /mnt/root_hdd
  • Restore data from your backup:
rsync -av --numeric-ids --delete --exclude='/proc' --exclude='/sys' /media/<mybackup>/ /mnt/root_hdd/

Data from the root partition will be overwritten, and supernumerary files deleted.

Now in case of disk change, we need to take care of the boot loader also:

  • Install grub:
mount --bind /proc /mnt/root_hdd/proc
mount --bind /dev /mnt/root_hdd/dev
mount --bind /sys /mnt/root_hdd/sys
chroot /mnt/root_hdd
grub-install /dev/sdb1

That’s all, reboot and enjoy.