Better Web Scanner Drop

So the idea is to add some PHP to your custom 404 page.

<?php
function startsWith($haystack, $needle)
{
	$length = strlen($needle);
	return (substr($haystack, 0, $length) === $needle);
}
function startsWithBlocked($needle)
{
	$blockStarts = array(
		"/wp-content/",
		"/w00tw00t"
	);
	foreach($blockStarts as $i => $value)
	{
		if(startsWith($needle, $value))
		{
			return true;
		}
	}
	return false;
}
function isBlockablePage($needle)
{
	$blockPages = array(
		"/pma",
		"/myadmin",
		"/admin",
		"/phpmyadmin",
		"/php-my-admin",
		"/wp-login.php",
		"/w00tw00t.at.blackhats.romanian.anti-sec:)",
		"/webcalendar",
		"/calendar",
		"/dbadmin",
		"/mysql",
		"/includes",
		"/public_calendar",
		"/web-calendar",
		"/webcalendar",
		"/calendar",
		"/wcalendar",
		"/w00tw00t.at.isc.sans.dfind:)"
	);
	return in_array($needle, $blockPages);
}
function Block($needle)
{
	$lower = strtolower($needle);
	if(startsWith($lower, "//"))
	{
		$length = strlen($lower);
		$lower = substr($lower, 1, $length - 1);
	}
	return (startsWithBlocked($lower) || isBlockablePage($lower));
}

if(Block($_SERVER['REQUEST_URI']))
{
		$ip = $_SERVER['REMOTE_ADDR'];
		system("echo +$ip >> /proc/net/xt_recent/scandrop");
}
?>

These are just some of the ones I've seen.  I added the starts with checks, as well as added some url sanitation.

You need xt_recent in iptables, but it usually comes with it in my experience.
Here is one way you can have iptables use this.


iptables -N httpscandrop
iptables -A httpscandrop -m recent ! --rcheck --name scandrop --rsource -j RETURN
iptables -A httpscandrop -j DROP
iptables -I INPUT 1 -j httpscandrop

run "touch /proc/net/xt_recent/scandrop" then allow your web user write access to the file any way you want to.

There are various ways around this method, but these scans aren't so annoying that I want to actually write an Apache module for it.