fail2ban + Apache
אני מעלה בכתב כאן כמה שורות של פילטרים שיצא לי להרכיב עבור fail2ban אחרי ניתוח קבצי ה-error של השרת. אולי הם גם יעזרו לאנשים אחרים.
הסיבה שה-REGEX שלי טיפה מורכב יותר מהרגיל זה בגלל שלפני כמה זמן כשהתחלתי להשתמש ב-fail2ban קיבלתי באחד רשימות התפוצה שאני רשום אלהם (לא זוכר כרגע איזה) שיש באג ב-f2b שמאפשר למשהו לזייף בקשה בצורה כזאת שאתה יכול לבצע DOS לעצמך, והתיקון הנ”ל היה ברשימה. לא יצא לי לבדוק את הנושא מאז, אבל זה ב-TODO LIST שלי 🙂
Filters
# filter: apache-probe.conf [Definition] failregex = ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/admin\S* ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*\.(aspx?|ini|exe|plx?|inc|mdb|conf|jsp|sql|java|yml|class|sqlite3|cfm|backup|bak|log|bitrix|\.git|\.svn|_?api) ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/jmx-console ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/ictupr ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/phpmyadmin ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/pma.* ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/manager.* ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/server-info ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/mysql.* ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/sqlweb.* ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/webdb.* ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/vtigercrm.* ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/auth ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/autologin ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/controlpanel ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/cpanel ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/horde ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/iisadmin ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/myadmin ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] File does not exist: (?i)/\S*/phpinfo\.php ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] .*/etc/passwd.* ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] .*testasp.vulnweb.com.* ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] Invalid method in request (ACUNETIX|DEBUG|HELP|NETSPARKER|SEARCH|TRACK) ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] Invalid URI in request ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] client denied by server configuration ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] script '\S*/wp-login.php' not found or unable to stat ^[[][^]]+[]] [[]error[]] [[]client <HOST>[]] request failed: URI too long ignoreregex =