fail2ban/config/filter.d/apache-overflows.conf

# Fail2Ban filter to block web requests on a long or suspicious nature
#

[INCLUDES]

# overwrite with apache-common.local if _apache_error_client is incorrect.
before = apache-common.conf

[Definition]

failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$

ignoreregex =

# DEV Notes:
# 
# fgrep -r 'URI too long' httpd-2.*
#   httpd-2.2.25/server/protocol.c:                          "request failed: URI too long (longer than %d)", r->server->limit_req_line);
#   httpd-2.4.4/server/protocol.c:                              "request failed: URI too long (longer than %d)",
#
# fgrep -r 'in request' ../httpd-2.* | fgrep Invalid
#   httpd-2.2.25/server/core.c:                     "Invalid URI in request %s", r->the_request);
#   httpd-2.2.25/server/core.c:                          "Invalid method in request %s", r->the_request);
#   httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'.
#   httpd-2.4.4/server/core.c:                     "Invalid URI in request %s", r->the_request);
#   httpd-2.4.4/server/core.c:                              "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request);
#   httpd-2.4.4/server/core.c:                              "Invalid method in request %s", r->the_request);
#
# fgrep -r 'invalid characters in URI' httpd-2.*
#   httpd-2.4.4/server/protocol.c:                              "request failed: invalid characters in URI");
#
# http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620
#   ...possible attempt to establish SSL connection on non-SSL port
#
# https://wiki.apache.org/httpd/ListOfErrors
# Author: Tim Connors
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Fail2Ban filter to block web requests on a long or suspicious nature`
- Fixed Debian bug #456567 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@664 a942ae1a-1317-0410-a47c-b1dcaea8d605 2008-03-05 21:47:59 +00:00			`#`

BF: anchor apache- filters. Close #248 See https://vndh.net/note:fail2ban-089-denial-service for more information 2013-06-11 18:56:25 +00:00			`[INCLUDES]`

DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# overwrite with apache-common.local if _apache_error_client is incorrect.`
BF: anchor apache- filters. Close #248 See https://vndh.net/note:fail2ban-089-denial-service for more information 2013-06-11 18:56:25 +00:00			`before = apache-common.conf`

- Fixed Debian bug #456567 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@664 a942ae1a-1317-0410-a47c-b1dcaea8d605 2008-03-05 21:47:59 +00:00			`[Definition]`

BF: apache filters using error log weren't matched when referer existed in HTTP header 2013-11-18 23:27:55 +00:00			`failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method\|URI) in request .( - possible attempt to establish SSL connection on non-SSL port)?\|(AH00565: )?request failed: URI too long \(longer than \d+\)\|request failed: erroneous characters after protocol string: .\|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$`
- Fixed Debian bug #456567 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@664 a942ae1a-1317-0410-a47c-b1dcaea8d605 2008-03-05 21:47:59 +00:00
			`ignoreregex =`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00
ENH: apache-overflow filter to have HTTP-2.4 message IDs and test samples 2013-11-10 23:38:02 +00:00			`# DEV Notes:`
ENH: apache-overflows - more detail on "request failed: URI too long (longer than %d)" with test case 2013-11-10 22:46:40 +00:00			`#`
			`# fgrep -r 'URI too long' httpd-2.*`
			`# httpd-2.2.25/server/protocol.c: "request failed: URI too long (longer than %d)", r->server->limit_req_line);`
			`# httpd-2.4.4/server/protocol.c: "request failed: URI too long (longer than %d)",`
			`#`
ENH: apache-overflow filter to have HTTP-2.4 message IDs and test samples 2013-11-10 23:38:02 +00:00			`# fgrep -r 'in request' ../httpd-2.* \| fgrep Invalid`
			`# httpd-2.2.25/server/core.c: "Invalid URI in request %s", r->the_request);`
			`# httpd-2.2.25/server/core.c: "Invalid method in request %s", r->the_request);`
			`# httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'.`
			`# httpd-2.4.4/server/core.c: "Invalid URI in request %s", r->the_request);`
			`# httpd-2.4.4/server/core.c: "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request);`
			`# httpd-2.4.4/server/core.c: "Invalid method in request %s", r->the_request);`
			`#`
			`# fgrep -r 'invalid characters in URI' httpd-2.*`
			`# httpd-2.4.4/server/protocol.c: "request failed: invalid characters in URI");`
			`#`
			`# http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620`
			`# ...possible attempt to establish SSL connection on non-SSL port`
			`#`
			`# https://wiki.apache.org/httpd/ListOfErrors`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Author: Tim Connors`