diff --git a/ChangeLog b/ChangeLog index b2a98046..60a66ee6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -56,6 +56,7 @@ configuration before relying on it. according to the XARF standard (v0.2). Close gh-105 * Add filter for apache-modsecurity * Support PyPy + * Add filter for apache-botsearch - Enhancements * Multiline filter for sendmail-spam. Close gh-418 diff --git a/MANIFEST b/MANIFEST index b03d309f..47dc4d1c 100644 --- a/MANIFEST +++ b/MANIFEST @@ -96,6 +96,7 @@ fail2ban/tests/files/logs/bsd/syslog-vv.txt fail2ban/tests/files/logs/3proxy fail2ban/tests/files/logs/apache-auth fail2ban/tests/files/logs/apache-badbots +fail2ban/tests/files/logs/apache-botscripts fail2ban/tests/files/logs/apache-modsecurity fail2ban/tests/files/logs/apache-nohome fail2ban/tests/files/logs/apache-noscript @@ -159,6 +160,7 @@ config/jail.conf config/filter.d/common.conf config/filter.d/apache-auth.conf config/filter.d/apache-badbots.conf +config/filter.d/apache-botsearch.conf config/filter.d/apache-nohome.conf config/filter.d/apache-noscript.conf config/filter.d/apache-overflows.conf diff --git a/config/filter.d/apache-botsearch.conf b/config/filter.d/apache-botsearch.conf new file mode 100644 index 00000000..f3bb6e70 --- /dev/null +++ b/config/filter.d/apache-botsearch.conf @@ -0,0 +1,37 @@ +# Fail2Ban filter to block web requests for stuff that doesn't exist +# +# This is normally a predefined list of exploitable or valuable web services +# that are hidden or aren't actually installed. +# + +[INCLUDES] + +# overwrite with apache-common.local if _apache_error_client is incorrect. +before = apache-common.conf + +[Definition] + +failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): (, referer: \S+)?\s*$ + +ignoreregex = + + +[Init] + +# Webroot represents the webroot on which all other files are based +webroot = /var/www/ +# Block is the actual non-found directories to block +block = (||) + +# These are just convient definitions that assist the blocking of stuff that +# isn't installed +webmail = roundcube|mail|horde|webmail + +phpmyadmin = (typo3/|xampp/|)(pma|(php)?myadmin) + +wordpress = wp-(login|signup)\.php + + +# DEV Notes: +# +# Author: Daniel Black diff --git a/fail2ban/tests/files/logs/apache-botsearch b/fail2ban/tests/files/logs/apache-botsearch new file mode 100644 index 00000000..476f3ad2 --- /dev/null +++ b/fail2ban/tests/files/logs/apache-botsearch @@ -0,0 +1,2 @@ +# failJSON: { "time": "2008-07-22T06:48:30", "match": true , "host": "198.51.100.86" } +[Tue Jul 22 06:48:30 2008] [error] [client 198.51.100.86] script not found or unable to stat: /var/www/wp-login.php