fail2ban + Apache

אני מעלה בכתב כאן כמה שורות של פילטרים שיצא לי להרכיב עבור fail2ban אחרי ניתוח קבצי ה-error של השרת. אולי הם גם יעזרו לאנשים אחרים.

הסיבה שה-REGEX שלי טיפה מורכב יותר מהרגיל זה בגלל שלפני כמה זמן כשהתחלתי להשתמש ב-fail2ban קיבלתי באחד רשימות התפוצה שאני רשום אלהם (לא זוכר כרגע איזה) שיש באג ב-f2b שמאפשר למשהו לזייף בקשה בצורה כזאת שאתה יכול לבצע DOS לעצמך, והתיקון הנ”ל היה ברשימה. לא יצא לי לבדוק את הנושא מאז, אבל זה ב-TODO LIST שלי 🙂

 Filters

# filter: apache-probe.conf 
[Definition]
failregex = ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/admin\S*
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*\.(aspx?|ini|exe|plx?|inc|mdb|conf|jsp|sql|java|yml|class|sqlite3|cfm|backup|bak|log|bitrix|\.git|\.svn|_?api)
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/jmx-console
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/ictupr
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/phpmyadmin
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/pma.*
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/manager.*
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/server-info
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/mysql.*
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/sqlweb.*
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/webdb.*
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/vtigercrm.*
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/auth
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/autologin
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/controlpanel
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/cpanel
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/horde
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/iisadmin
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/myadmin
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/phpinfo\.php
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] .*/etc/passwd.*
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] .*testasp.vulnweb.com.*
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] Invalid method in request (ACUNETIX|DEBUG|HELP|NETSPARKER|SEARCH|TRACK)
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] Invalid URI in request
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] client denied by server configuration
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] script '\S*/wp-login.php' not found or unable to stat
            ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] request failed: URI too long
ignoreregex =