From 2f9e5fe1da032b04f1188d4f82e0e4ffa8806bd6 Mon Sep 17 00:00:00 2001 From: grafwol Date: Tue, 25 Jun 2024 09:32:01 +0200 Subject: [PATCH] Enhancing the searching regex for 3 common situations: 1. Clients or bots trying to access resources not being hosted to explore critical files. -> Error 404 is returned 2. Clients or bots trying to exploit services by pinging URIs with methods not allowed (i.e. POST instead of GET) -> Error 405 is returned 3. Clients or bots explore dynamic hosted sites by randomly sending parameters to exploit the API (for all APIs from old CGI to REST service proxied) -> Error 50x is returned The latter is the weekest criteria bc. the return code is at best a expected exception and then defined by the API designer or at worst depending on the system behind. CGI for example let nginx throw 519 on harsh errors (which is not covered by the regex at all) --- config/filter.d/nginx-bad-request.conf | 2 +- fail2ban/tests/files/logs/nginx-bad-request | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/config/filter.d/nginx-bad-request.conf b/config/filter.d/nginx-bad-request.conf index 12c14ab7..07df73b2 100644 --- a/config/filter.d/nginx-bad-request.conf +++ b/config/filter.d/nginx-bad-request.conf @@ -5,7 +5,7 @@ # The request often doesn't contain a method, only some encoded garbage # This will also match requests that are entirely empty -failregex = ^ - \S+ \[\] "[^"]*" 400 +failregex = ^ - \S+ \[\] "[^"]*" [4-5]0[0-9] datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? ^[^\[]*\[({DATE}) diff --git a/fail2ban/tests/files/logs/nginx-bad-request b/fail2ban/tests/files/logs/nginx-bad-request index a9ff6497..1ab5fd0e 100644 --- a/fail2ban/tests/files/logs/nginx-bad-request +++ b/fail2ban/tests/files/logs/nginx-bad-request @@ -20,4 +20,7 @@ 7.8.9.10 - root [20/Jan/2015:01:17:07 +0100] "CONNECT 123.123.123.123 HTTP/1.1" 400 162 "-" "-" "-" # failJSON: { "time": "2014-12-12T22:59:02", "match": true , "host": "2.5.2.5" } -2.5.2.5 - tomcat [12/Dec/2014:22:59:02 +0100] "GET /cgi-bin/tools/tools.pl HTTP/1.1" 400 162 "-" "-" "-" \ No newline at end of file +2.5.2.5 - tomcat [12/Dec/2014:22:59:02 +0100] "GET /cgi-bin/tools/tools.pl HTTP/1.1" 400 162 "-" "-" "-" + +# failJSON: { "time": "2014-12-12T22:59:02", "match": true , "host": "192.168.144.1" } +192.168.144.1 - - [12/Dec/2014:22:59:02 +0100] "GET /adsf HTTP/1.1" 404 118 "-" "-" "-" \ No newline at end of file