github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

add nginx-tls-downgrade

pull/2881/head
stepodev 2020-11-25 20:57:06 +01:00
parent b8e8a87ee9
commit 27c40a77a3
4 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -21,6 +21,7 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition
* `actioncheck` behavior is changed now (gh-488), so invariant check as well as restore or repair
of sane environment (in case of recognized unsane state) would only occur on action errors (e. g.
if ban or unban operations are exiting with other code as 0)
* `filter.d/nginx-tls-fallback` -- filter added for tls downgrade probes
ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools

16
config/filter.d/nginx-tls-fallback.conf Normal file
View File

@ -0,0 +1,16 @@
# fail2ban filter configuration for nginx
# Ban people checking for TLS_FALLBACK_SCSV repeatedly
# https://stackoverflow.com/questions/28010492/nginx-critical-error-with-ssl-handshaking/28010608#28010608
[Definition]
failregex = ^ \[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed.*?ssl3_get_record.*?too.*?, client: <HOST>, server: \S+$
ignoreregex =
datepattern = {^LN-BEG}
# Author: Stephan Orlowsky
# maybe not restrictive enough, will also match:
#"[crit] 76952#76952: *5062354 SSL_do_handshake() failed ssl3_get_record too, client: 0.0.0.0, server: thisshouldntmatch"

3
config/jail.conf
View File

@ -397,6 +397,9 @@ logpath = %(nginx_error_log)s
port = http,https
logpath = %(nginx_access_log)s
[nginx-tls-fallback]
port = http,https
logpath = %(nginx_access_log)s
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year

9
fail2ban/tests/files/logs/nginx-tls-fallback Normal file
View File

@ -0,0 +1,9 @@
# failJSON: { "time": "2020-11-25T14:42:16", "match": true , "host": "142.93.180.14" }
2020/11/25 14:42:16 [crit] 76952#76952: *2454307 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 142.93.180.14, server: 0.0.0.0:443
# failJSON: { "time": "2020-11-25T15:47:47", "match": true , "host": "80.191.166.166" }
2020/11/25 15:47:47 [crit] 76952#76952: *5062354 SSL_do_handshake() failed (SSL: error:1408F0A0:SSL routines:ssl3_get_record:length too short) while SSL handshaking, client: 80.191.166.166, server: 0.0.0.0:443
# failJSON: { "time": "2020-11-25T16:48:08", "match": true , "host": "5.126.32.148" }
2020/11/25 16:48:08 [crit] 76952#76952: *7976400 SSL_do_handshake() failed (SSL: error:1408F096:SSL routines:ssl3_get_record:encrypted length too long) while SSL handshaking, client: 5.126.32.148, server: 0.0.0.0:443
# failJSON: { "time": "2020-11-25T16:02:45", "match": false }
2020/11/25 16:02:45 [error] 76952#76952: *5645766 connect() failed (111: Connection refused) while connecting to upstream, client: 5.126.32.148, server: www.google.de, request: "GET /admin/config HTTP/2.0", upstream: "http://127.0.0.1:3000/admin/config", host: "www.google.de"