add filter to block unintended directory browsing

2025-04-17 03:36:59 +08:00 · 2025-04-17 03:36:59 +08:00 · 6da1248bce
parent c76e90fbb1
commit 6da1248bce
2 changed files with 27 additions and 0 deletions
--- a/config/filter.d/apache-noindex.conf
+++ b/config/filter.d/apache-noindex.conf
@ -0,0 +1,19 @@
+# Fail2Ban filter to block unintended requests for directory browsing
+#
+# Directory browsing is ontrolled by Indexes Option in apache2. The option
+# can by set per directory. This filter helps to block unintended requests.
+# for direcotry browsing.
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^%(_apache_error_client)s ((AH01276: )?.*Cannot serve directory .* directory index forbidden by Options directive$|Directory index forbidden by Options directive: .*$)
+
+ignoreregex = 
+
+# Author: Binhao Qian <gonwan@gmail.com>
+
--- a/fail2ban/tests/files/logs/apache-noindex
+++ b/fail2ban/tests/files/logs/apache-noindex
@ -0,0 +1,8 @@
+# Apache 2.2
+# failJSON: { "time": "2025-04-16T16:18:16", "match": true , "host": "13.82.231.149" }
+[Sat Apr 16 16:18:16 2025] [error] [client 13.82.231.149] Directory index forbidden by Options directive: /some/path/to/public/wp-includes/
+
+# Apache 2.4
+# failJSON: { "time": "2025-04-16T16:18:17", "match": true , "host": "13.82.231.149" }
+[Wed Apr 16 16:18:17.927866 2025] [autoindex:error] [pid 27978] [client 13.82.231.149:11585] AH01276: Cannot serve directory /some/path/to/public/wp-includes/: No matching DirectoryIndex (index.html,index.php) found, and server-generated directory index forbidden by Options directive
+