From 3c83c19070b8e79e2d4392071d02b4ea99643d87 Mon Sep 17 00:00:00 2001 From: Jan Przybylak Date: Sat, 6 Jun 2020 19:51:46 +0200 Subject: [PATCH 1/4] Added filter nginx-bad-request --- config/filter.d/nginx-bad-request.conf | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 config/filter.d/nginx-bad-request.conf diff --git a/config/filter.d/nginx-bad-request.conf b/config/filter.d/nginx-bad-request.conf new file mode 100644 index 00000000..ea26d56a --- /dev/null +++ b/config/filter.d/nginx-bad-request.conf @@ -0,0 +1,13 @@ +# Fail2Ban filter to match bad requests to nginx +# + +[Definition] + +# The request often doesn't contain a method, only some encoded garbage +failregex = ^ \- \S+ \[\] \".+\" 400 .+$ + +datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? + ^[^\[]*\[({DATE}) + {^LN-BEG} + +# Author: Jan Przybylak From d7ef5d166db58ec402408fa97c0b291906c3d8c9 Mon Sep 17 00:00:00 2001 From: Jan Przybylak Date: Thu, 11 Jun 2020 16:44:48 +0200 Subject: [PATCH 2/4] Removed vulnerable catchall & anchor --- config/filter.d/nginx-bad-request.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/nginx-bad-request.conf b/config/filter.d/nginx-bad-request.conf index ea26d56a..03721f86 100644 --- a/config/filter.d/nginx-bad-request.conf +++ b/config/filter.d/nginx-bad-request.conf @@ -4,7 +4,7 @@ [Definition] # The request often doesn't contain a method, only some encoded garbage -failregex = ^ \- \S+ \[\] \".+\" 400 .+$ +failregex = ^ \- \S+ \[\] \"[^\"]+\" 400 datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? ^[^\[]*\[({DATE}) From a5ab4406d8b7d34da8e653d8d5debd2c0735b484 Mon Sep 17 00:00:00 2001 From: Jan Przybylak Date: Sun, 21 Jun 2020 18:24:09 +0200 Subject: [PATCH 3/4] Removed unnecessary escape sequence This commit also contains changes to match requests that are 100% empty (by using "*" instead of "+" in the regex) --- config/filter.d/nginx-bad-request.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/filter.d/nginx-bad-request.conf b/config/filter.d/nginx-bad-request.conf index 03721f86..2b8f5ab6 100644 --- a/config/filter.d/nginx-bad-request.conf +++ b/config/filter.d/nginx-bad-request.conf @@ -4,7 +4,8 @@ [Definition] # The request often doesn't contain a method, only some encoded garbage -failregex = ^ \- \S+ \[\] \"[^\"]+\" 400 +# This will also match requests that are entirely empty +failregex = ^ - \S+ \[\] "[^"]*" 400 datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? ^[^\[]*\[({DATE}) From 56fefe9240a6cc06650b91743339451caf6aa2f1 Mon Sep 17 00:00:00 2001 From: Jan Przybylak Date: Sun, 21 Jun 2020 18:25:27 +0200 Subject: [PATCH 4/4] Added test file "nginx-bad-request" I tested with `./fail2ban-testcases testSampleRegex`, which did not return any errors. --- fail2ban/tests/files/logs/nginx-bad-request | 23 +++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 fail2ban/tests/files/logs/nginx-bad-request diff --git a/fail2ban/tests/files/logs/nginx-bad-request b/fail2ban/tests/files/logs/nginx-bad-request new file mode 100644 index 00000000..a9ff6497 --- /dev/null +++ b/fail2ban/tests/files/logs/nginx-bad-request @@ -0,0 +1,23 @@ +# failJSON: { "time": "2015-01-20T19:53:28", "match": true , "host": "12.34.56.78" } +12.34.56.78 - - [20/Jan/2015:19:53:28 +0100] "" 400 47 "-" "-" "-" + +# failJSON: { "time": "2015-01-20T19:53:28", "match": true , "host": "12.34.56.78" } +12.34.56.78 - root [20/Jan/2015:19:53:28 +0100] "" 400 47 "-" "-" "-" + +# failJSON: { "time": "2015-01-20T19:53:28", "match": true , "host": "12.34.56.78" } +12.34.56.78 - - [20/Jan/2015:19:53:28 +0100] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 47 "-" "-" "-" + +# failJSON: { "time": "2015-01-20T19:53:28", "match": true , "host": "12.34.56.78" } +12.34.56.78 - - [20/Jan/2015:19:53:28 +0100] "GET //admin/pma/scripts/setup.php HTTP/1.1" 400 47 "-" "-" "-" + +# failJSON: { "time": "2015-01-20T19:54:28", "match": true , "host": "12.34.56.78" } +12.34.56.78 - - [20/Jan/2015:19:54:28 +0100] "HELP" 400 47 "-" "-" "-" + +# failJSON: { "time": "2015-01-20T19:55:28", "match": true , "host": "12.34.56.78" } +12.34.56.78 - - [20/Jan/2015:19:55:28 +0100] "batman" 400 47 "-" "-" "-" + +# failJSON: { "time": "2015-01-20T01:17:07", "match": true , "host": "7.8.9.10" } +7.8.9.10 - root [20/Jan/2015:01:17:07 +0100] "CONNECT 123.123.123.123 HTTP/1.1" 400 162 "-" "-" "-" + +# failJSON: { "time": "2014-12-12T22:59:02", "match": true , "host": "2.5.2.5" } +2.5.2.5 - tomcat [12/Dec/2014:22:59:02 +0100] "GET /cgi-bin/tools/tools.pl HTTP/1.1" 400 162 "-" "-" "-" \ No newline at end of file