From 30dc22fb2e59bb373613c8c9115959d3c14bfc4f Mon Sep 17 00:00:00 2001 From: benrubson Date: Thu, 29 Mar 2018 11:36:49 +0200 Subject: [PATCH 1/5] Detect Apache SNI error / misredirect attempts --- config/filter.d/apache-auth.conf | 2 ++ fail2ban/tests/files/logs/apache-auth | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf index d9a6fa5e..35911745 100644 --- a/config/filter.d/apache-auth.conf +++ b/config/filter.d/apache-auth.conf @@ -24,6 +24,8 @@ failregex = ^client (?:denied by server configuration|used wrong authentication ^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b ^invalid qop `(?:[^']*|.*?)' received\b ^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b + ^Hostname .* provided via SNI(, but no hostname| and hostname .*) provided\b + ^No hostname was provided via SNI for a name based virtual host\b ignoreregex = diff --git a/fail2ban/tests/files/logs/apache-auth b/fail2ban/tests/files/logs/apache-auth index d430e291..93040b1d 100644 --- a/fail2ban/tests/files/logs/apache-auth +++ b/fail2ban/tests/files/logs/apache-auth @@ -125,6 +125,15 @@ # failJSON: { "time": "2013-11-18T22:39:33", "match": true , "host": "91.49.82.139" } [Mon Nov 18 22:39:33 2013] [error] [client 91.49.82.139] user gg not found: /, referer: http://sj.hopto.org/management.html +# failJSON: { "time": "2018-03-28T01:31:42", "match": true , "host": "91.49.82.139" } +[Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client 91.49.82.139:58028] AH02031: Hostname www.testdom.com provided via SNI, but no hostname provided in HTTP request + +# failJSON: { "time": "2018-03-28T01:31:42", "match": true , "host": "91.49.82.139" } +[Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client 91.49.82.139:58028] AH02032: Hostname www.testdom.com provided via SNI and hostname dummy.com provided via HTTP have no compatible SSL setup + +# failJSON: { "time": "2018-03-28T01:31:42", "match": true , "host": "91.49.82.139" } +[Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client 91.49.82.139:58028] AH02033: No hostname was provided via SNI for a name based virtual host + # filterOptions: {"logging": "syslog"} # failJSON: { "time": "2005-02-15T16:23:00", "match": true , "host": "192.0.2.1", "desc": "using syslog (ErrorLog syslog)" } From bd74f7ba8b3f706d0107f3065ea7d6fc3aee534f Mon Sep 17 00:00:00 2001 From: benrubson Date: Wed, 4 Apr 2018 00:20:58 +0200 Subject: [PATCH 2/5] Detect Apache SNI error / misredirect attempts, typos --- config/filter.d/apache-auth.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf index 35911745..b7aa8b30 100644 --- a/config/filter.d/apache-auth.conf +++ b/config/filter.d/apache-auth.conf @@ -24,7 +24,7 @@ failregex = ^client (?:denied by server configuration|used wrong authentication ^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b ^invalid qop `(?:[^']*|.*?)' received\b ^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b - ^Hostname .* provided via SNI(, but no hostname| and hostname .*) provided\b + ^Hostname \S+ provided via SNI(?:, but no hostname| and hostname \S+) provided\b ^No hostname was provided via SNI for a name based virtual host\b ignoreregex = From 28ae32f0cab8076382ed4134e86ca04b98c0be48 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Wed, 4 Apr 2018 16:31:14 +0200 Subject: [PATCH 3/5] Update ChangeLog --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 238bf56c..bab1f442 100644 --- a/ChangeLog +++ b/ChangeLog @@ -48,6 +48,7 @@ ver. 0.10.3-dev-1 (20??/??/??) - development edition ### New Features ### Enhancements +* `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097); * `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073); * date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029); * possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038); From fc76ccf19218f7eb14afcbf916fe47c3c9ccaa95 Mon Sep 17 00:00:00 2001 From: Luis Aranguren Date: Mon, 2 Apr 2018 21:35:13 +1000 Subject: [PATCH 4/5] Fixes abuseipdb curl cypher error and comment $f2bV_matches Fixed https://github.com/fail2ban/fail2ban/issues/2044 #2044 and used https://github.com/fail2ban/fail2ban/issues/2039 to fix comment in abuseipdb.com only showing $f2bV_matches --- config/action.d/abuseipdb.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/action.d/abuseipdb.conf b/config/action.d/abuseipdb.conf index 15e41fbe..279c299e 100644 --- a/config/action.d/abuseipdb.conf +++ b/config/action.d/abuseipdb.conf @@ -86,7 +86,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = curl --fail --ciphers ecdhe_ecdsa_aes_256_sha --data 'key=' --data-urlencode 'comment=' --data 'ip=' --data 'category=' "https://www.abuseipdb.com/report/json" +actionban = lgm=$(printf '%%s\n...' ""); curl --fail --tlsv1.1 --data "key=" --data-urlencode "comment=$lgm" --data "ip=" --data "category=" "https://www.abuseipdb.com/report/json" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the From d9525ad3aafb3a3a3387e402fcb965a730cf6a97 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Wed, 4 Apr 2018 16:47:18 +0200 Subject: [PATCH 5/5] Update ChangeLog --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index e4f89c02..9c424962 100644 --- a/ChangeLog +++ b/ChangeLog @@ -47,6 +47,7 @@ ver. 0.10.3-dev-1 (20??/??/??) - development edition - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly); - mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode it counts failure on closing connection within preauth-stage (gh-2085); +* `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101); * `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059); * `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066); * (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054);