add nginx-tls-downgrade

4 years ago · 27c40a77a3
4 changed files with 29 additions and 0 deletions
--- a/1
+++ b/1
@ -21,6 +21,7 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition
 * `actioncheck` behavior is changed now (gh-488), so invariant check as well as restore or repair
   of sane environment (in case of recognized unsane state) would only occur on action errors (e. g.
   if ban or unban operations are exiting with other code as 0)
+* `filter.d/nginx-tls-fallback` -- filter added for tls downgrade probes


 ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools
--- a/config/filter.d/nginx-tls-fallback.conf
+++ b/config/filter.d/nginx-tls-fallback.conf
@ -0,0 +1,16 @@
+# fail2ban filter configuration for nginx
+# Ban people checking for TLS_FALLBACK_SCSV repeatedly
+# https://stackoverflow.com/questions/28010492/nginx-critical-error-with-ssl-handshaking/28010608#28010608
+
+[Definition]
+
+
+failregex = ^ \[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed.*?ssl3_get_record.*?too.*?, client: <HOST>, server: \S+$
+
+ignoreregex = 
+
+datepattern = {^LN-BEG}
+
+# Author: Stephan Orlowsky
+# maybe not restrictive enough, will also match:
+#"[crit] 76952#76952: *5062354 SSL_do_handshake() failed ssl3_get_record too, client: 0.0.0.0, server: thisshouldntmatch"
--- a/config/jail.conf
+++ b/config/jail.conf
@ -397,6 +397,9 @@ logpath  = %(nginx_error_log)s
 port    = http,https
 logpath = %(nginx_access_log)s

+[nginx-tls-fallback]
+port    = http,https
+logpath = %(nginx_access_log)s

 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
--- a/fail2ban/tests/files/logs/nginx-tls-fallback
+++ b/fail2ban/tests/files/logs/nginx-tls-fallback
@ -0,0 +1,9 @@
+
+# failJSON: { "time": "2020-11-25T14:42:16", "match": true , "host": "142.93.180.14" }
+2020/11/25 14:42:16 [crit] 76952#76952: *2454307 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 142.93.180.14, server: 0.0.0.0:443
+# failJSON: { "time": "2020-11-25T15:47:47", "match": true , "host": "80.191.166.166" }
+2020/11/25 15:47:47 [crit] 76952#76952: *5062354 SSL_do_handshake() failed (SSL: error:1408F0A0:SSL routines:ssl3_get_record:length too short) while SSL handshaking, client: 80.191.166.166, server: 0.0.0.0:443
+# failJSON: { "time": "2020-11-25T16:48:08", "match": true , "host": "5.126.32.148" }
+2020/11/25 16:48:08 [crit] 76952#76952: *7976400 SSL_do_handshake() failed (SSL: error:1408F096:SSL routines:ssl3_get_record:encrypted length too long) while SSL handshaking, client: 5.126.32.148, server: 0.0.0.0:443
+# failJSON: { "time": "2020-11-25T16:02:45", "match": false }
+2020/11/25 16:02:45 [error] 76952#76952: *5645766 connect() failed (111: Connection refused) while connecting to upstream, client: 5.126.32.148, server: www.google.de, request: "GET /admin/config HTTP/2.0", upstream: "http://127.0.0.1:3000/admin/config", host: "www.google.de"