adding filter to detect Shellshock attack attempts against bash scripts through apache. See http://seclists.org/oss-sec/2014/q3/650

2014-09-26 16:25:07 +01:00 · 2014-09-26 16:25:07 +01:00 · 4f636eb0e3
parent bfaf33b6ba
commit 4f636eb0e3
1 changed files with 26 additions and 0 deletions
--- a/config/filter.d/apache-shellshock.conf
+++ b/config/filter.d/apache-shellshock.conf
@ -0,0 +1,26 @@
+# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug
+#
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: warning: HTTP_.*?: ignoring function definition attempt(, referer: \S+)?\s*$
+            ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: error importing function definition for `HTTP_.*?'(, referer: \S+)?\s*$
+
+ignoreregex = 
+
+
+# DEV Notes:
+#
+# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
+#
+# example log lines: 
+# [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt
+# [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST'
+#
+# Author: Eugene Hopkinson (riot@riot.so)