fail2ban/config/filter.d/apache-noscript.conf

# Fail2Ban filter to block web requests for scripts (on non scripted websites)
#
# This matches many types of scripts that don't exist. This could generate a
# lot of false positive matches in cases like wikis and forums where users
# no affiliated with the website can insert links to missing files/scripts into
# pages and cause non-malicious browsers of the site to trigger against this
# filter.
#
# If you'd like to match specific URLs that don't exist see the
# apache-botsearch filter.
#

[INCLUDES]

# overwrite with apache-common.local if _apache_error_client is incorrect.
before = apache-common.conf

[Definition]

script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl)

prefregex = ^%(_apache_error_client)s <F-CONTENT>.+</F-CONTENT>$

failregex = ^(?:(?:AH001(?:28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): <script>\b
            ^script '<script>\S*' not found or unable to stat
            ^(?:AH01071: )?Got error 'Primary script unknown\\n'

ignoreregex = 


# DEV Notes:
#
# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
#
# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is in httpd-2.2
#
# Author: Cyril Jaquier
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Fail2Ban filter to block web requests for scripts (on non scripted websites)`
- Added "apache-noscript" filter. Thanks to Pander git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@411 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-10-17 19:05:27 +00:00			`#`
DOC: for apache-botsearch and apache-botsearch 2014-01-09 20:34:01 +00:00			`# This matches many types of scripts that don't exist. This could generate a`
			`# lot of false positive matches in cases like wikis and forums where users`
			`# no affiliated with the website can insert links to missing files/scripts into`
			`# pages and cause non-malicious browsers of the site to trigger against this`
			`# filter.`
			`#`
			`# If you'd like to match specific URLs that don't exist see the`
			`# apache-botsearch filter.`
- Added "apache-noscript" filter. Thanks to Pander git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@411 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-10-17 19:05:27 +00:00			`#`

BF: anchor apache- filters. Close #248 See https://vndh.net/note:fail2ban-089-denial-service for more information 2013-06-11 18:56:25 +00:00			`[INCLUDES]`

DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# overwrite with apache-common.local if _apache_error_client is incorrect.`
BF: anchor apache- filters. Close #248 See https://vndh.net/note:fail2ban-089-denial-service for more information 2013-06-11 18:56:25 +00:00			`before = apache-common.conf`

- Added "apache-noscript" filter. Thanks to Pander git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@411 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-10-17 19:05:27 +00:00			`[Definition]`

filter.d/apache-noscript.conf: extended to match "Primary script unknown", got from php-fpm module. 2018-03-19 12:18:55 +00:00			`script = /\S*(?:php(?:[45]\|[.-]cgi)?\|\.asp\|\.exe\|\.pl)`

			`prefregex = ^%(_apache_error_client)s <F-CONTENT>.+</F-CONTENT>$`

			`failregex = ^(?:(?:AH001(?:28\|30): )?File does not exist\|(AH01264: )?script not found or unable to stat): <script>\b`
			`^script '<script>\S*' not found or unable to stat`
			`^(?:AH01071: )?Got error 'Primary script unknown\\n'`
- Added option "ignoreregex" in filter scripts and jail.conf. Feature Request #1283304 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@458 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-11-12 14:52:36 +00:00
- Defined default values in .conf. Should fix Debian bug #398758 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@464 a942ae1a-1317-0410-a47c-b1dcaea8d605 2006-11-15 18:44:28 +00:00			`ignoreregex =`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00

ENH: apache-2.4 message IDs for filter apache-noscript 2013-11-10 23:49:11 +00:00			`# DEV Notes:`
			`#`
			`# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs`
			`#`
DOC: fix comment regarding apache version in apache-noscript 2014-01-09 21:35:37 +00:00			`# Second regex, script '/\S(\.php\|\.asp\|\.exe\|\.pl)\S' not found or unable to stat\s*$ is in httpd-2.2`
ENH: apache-2.4 message IDs for filter apache-noscript 2013-11-10 23:49:11 +00:00			`#`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Author: Cyril Jaquier`