Merge pull request #557 from grooverdan/apache-botsearch

ENH: Apache botsearch + BF: tag substition
2014-01-09 14:11:00 -08:00 · 2014-01-09 14:11:00 -08:00 · 8333abe420
parent 7e8da15fc6 b0baab3a0e
commit 8333abe420
8 changed files with 118 additions and 3 deletions
--- a/1
+++ b/1
@ -55,6 +55,7 @@ configuration before relying on it.
   * Added action xarf-login-attack to report formatted attack messages
     according to the XARF standard (v0.2). Close gh-105
   * Support PyPy
   * Add filter for apache-botsearch
   * Filter for stunnel
   * Filter for Counter Strike 1.6. Thanks to onorua for logs.
     Close gh-347
--- a/2
+++ b/2
@ -102,6 +102,7 @@ fail2ban/tests/files/logs/bsd/syslog-vv.txt
 fail2ban/tests/files/logs/3proxy
 fail2ban/tests/files/logs/apache-auth
 fail2ban/tests/files/logs/apache-badbots
 fail2ban/tests/files/logs/apache-botscripts
 fail2ban/tests/files/logs/apache-modsecurity
 fail2ban/tests/files/logs/apache-nohome
 fail2ban/tests/files/logs/apache-noscript
@ -170,6 +171,7 @@ config/fail2ban.conf
 config/filter.d/common.conf
 config/filter.d/apache-auth.conf
 config/filter.d/apache-badbots.conf
 config/filter.d/apache-botsearch.conf
 config/filter.d/apache-nohome.conf
 config/filter.d/apache-noscript.conf
 config/filter.d/apache-overflows.conf
--- a/config/filter.d/apache-botsearch.conf
+++ b/config/filter.d/apache-botsearch.conf
@ -0,0 +1,48 @@
 # Fail2Ban filter to match web requests for selected URLs that don't exist
 #
 # This filter is aimed at blocking specific URLs that don't exist. This
 # could be a set of URLs places in a Disallow: directive in robots.txt or
 # just some web services that don't exist caused bots are searching for
 # exploitable content. This filter is designed to have a low false postitive
 # rate due.
 #
 # An alternative to this is the apache-noscript filter which blocks all
 # types of scripts that don't exist.
 #
 #
 # This is normally a predefined list of exploitable or valuable web services
 # that are hidden or aren't actually installed.
 #
 [INCLUDES]
 # overwrite with apache-common.local if _apache_error_client is incorrect.
 before = apache-common.conf
 [Definition]
 failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): <webroot><block>(, referer: \S+)?\s*$
            ^%(_apache_error_client)s script '<webroot><block>' not found or unable to stat(, referer: \S+)?\s*$
 ignoreregex = 
 [Init]
 # Webroot represents the webroot on which all other files are based
 webroot = /var/www/
 # Block is the actual non-found directories to block
 block = (<webmail>|<phpmyadmin>|<wordpress>)[^,]*
 # These are just convient definitions that assist the blocking of stuff that 
 # isn't installed
 webmail = roundcube|(ext)?mail|horde|(v-?)?webmail
 phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)
 wordpress = wp-(login|signup)\.php
 # DEV Notes:
 #
 # Author: Daniel Black
--- a/config/filter.d/apache-noscript.conf
+++ b/config/filter.d/apache-noscript.conf
@ -1,5 +1,13 @@
 # Fail2Ban filter to block web requests for scripts (on non scripted websites)
 #
 # This matches many types of scripts that don't exist. This could generate a
 # lot of false positive matches in cases like wikis and forums where users
 # no affiliated with the website can insert links to missing files/scripts into
 # pages and cause non-malicious browsers of the site to trigger against this
 # filter.
 #
 # If you'd like to match specific URLs that don't exist see the
 # apache-botsearch filter.
 #
 [INCLUDES]
@ -19,6 +27,6 @@ ignoreregex =
 #
 # https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
 #
-# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is Before http-2.2
+# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is in httpd-2.2
 #
 # Author: Cyril Jaquier
--- a/config/jail.conf
+++ b/config/jail.conf
@ -355,6 +355,13 @@ logpath  = /var/log/apache*/*error.log
 maxretry = 2
 [apache-botsearch]
 port     = http,https
 logpath  = /var/log/apache*/*error.log
 maxretry = 2
 [apache-modsecurity]
 port     = http,https
--- a/fail2ban/server/action.py
+++ b/fail2ban/server/action.py
@ -379,11 +379,11 @@ class CommandAction(ActionBase):
 				#logSys.log(5, 'found: %s' % found_tag)
 				if found_tag == tag or found_tag in done:
 					# recursive definitions are bad
-					#logSys.log(5, 'recursion fail')
+					#logSys.log(5, 'recursion fail tag: %s value: %s' % (tag, value) )
 					return False
 				else:
 					if tags.has_key(found_tag):
-						value = value[0:m.start()] + tags[found_tag] + value[m.end():]
+						value = value.replace('<%s>' % found_tag , tags[found_tag])
 						#logSys.log(5, 'value now: %s' % value)
 						done.append(found_tag)
 						m = t.search(value, m.start())
--- a/fail2ban/tests/actiontestcase.py
+++ b/fail2ban/tests/actiontestcase.py
@ -60,6 +60,12 @@ class CommandActionTest(LogCaptureTestCase):
 		self.assertEqual(CommandAction.substituteRecursiveTags({'A': '<C>'}), {'A': '<C>'})
 		self.assertEqual(CommandAction.substituteRecursiveTags({'A': '<C> <D> <X>','X':'fun'}), {'A': '<C> <D> fun', 'X':'fun'})
 		self.assertEqual(CommandAction.substituteRecursiveTags({'A': '<C> <B>', 'B': 'cool'}), {'A': '<C> cool', 'B': 'cool'})
 		# Multiple stuff on same line is ok
 		self.assertEqual(CommandAction.substituteRecursiveTags({'failregex': 'to=<honeypot> fromip=<IP> evilperson=<honeypot>', 'honeypot': 'pokie', 'ignoreregex': ''}),
 								{ 'failregex': "to=pokie fromip=<IP> evilperson=pokie",
 									'honeypot': 'pokie',
 									'ignoreregex': '',
 								})
 		# rest is just cool
 		self.assertEqual(CommandAction.substituteRecursiveTags(aInfo),
 								{ 'HOST': "192.0.2.0",
--- a/fail2ban/tests/files/logs/apache-botsearch
+++ b/fail2ban/tests/files/logs/apache-botsearch
@ -0,0 +1,43 @@
 # failJSON: { "time": "2008-07-22T06:48:30", "match": true , "host": "198.51.100.86" }
 [Tue Jul 22 06:48:30 2008] [error] [client 198.51.100.86] script not found or unable to stat: /var/www/wp-login.php
 # failJSON: { "time": "2013-12-23T09:49:10", "match": true , "host": "115.249.248.145" }
 [Mon Dec 23 09:49:10 2013] [error] [client 115.249.248.145] File does not exist: /var/www/pma
 # failJSON: { "time": "2013-12-23T09:49:10", "match": true , "host": "115.249.248.145" }
 [Mon Dec 23 09:49:10 2013] [error] [client 115.249.248.145] File does not exist: /var/www/phpmyadmin
 # failJSON: { "time": "2013-12-23T09:49:13", "match": true , "host": "115.249.248.145" }
 [Mon Dec 23 09:49:13 2013] [error] [client 115.249.248.145] File does not exist: /var/www/webmail
 # failJSON: { "time": "2013-12-23T09:49:13", "match": true , "host": "115.249.248.145" }
 [Mon Dec 23 09:49:13 2013] [error] [client 115.249.248.145] File does not exist: /var/www/mail
 # failJSON: { "time": "2013-12-31T09:13:47", "match": true , "host": "176.102.37.56" }
 [Tue Dec 31 09:13:47 2013] [error] [client 176.102.37.56] script '/var/www/wp-login.php' not found or unable to stat
 # failJSON: { "time": "2014-01-03T09:20:23", "match": true , "host": "46.23.77.174" }
 [Fri Jan 03 09:20:23 2014] [error] [client 46.23.77.174] File does not exist: /var/www/mail
 # failJSON: { "time": "2014-01-03T09:20:25", "match": true , "host": "46.23.77.174" }
 [Fri Jan 03 09:20:25 2014] [error] [client 46.23.77.174] File does not exist: /var/www/mail_this_entry
 # failJSON: { "time": "2014-01-03T09:26:52", "match": true , "host": "46.23.77.174" }
 [Fri Jan 03 09:26:52 2014] [error] [client 46.23.77.174] File does not exist: /var/www/pmapper-3.2-beta3
 # failJSON: { "time": "2014-01-03T09:33:53", "match": true , "host": "46.23.77.174" }
 [Fri Jan 03 09:33:53 2014] [error] [client 46.23.77.174] File does not exist: /var/www/v-webmail
 # failJSON: { "time": "2014-01-03T09:34:15", "match": true , "host": "46.23.77.174" }
 [Fri Jan 03 09:34:15 2014] [error] [client 46.23.77.174] File does not exist: /var/www/vwebmail
 # failJSON: { "time": "2014-01-03T09:35:47", "match": true , "host": "46.23.77.174" }
 [Fri Jan 03 09:35:47 2014] [error] [client 46.23.77.174] File does not exist: /var/www/webmail
 # failJSON: { "time": "2013-12-23T21:21:39", "match": true , "host": "183.60.244.49" }
 [Mon Dec 23 21:21:39 2013] [error] [client 183.60.244.49] File does not exist: /var/www/extmail, referer: http://www.baidu.com
 # failJSON: { "time": "2013-12-23T21:21:44", "match": true , "host": "183.60.244.49" }
 [Mon Dec 23 21:21:44 2013] [error] [client 183.60.244.49] File does not exist: /var/www/extmail, referer: http://www.baidu.com
 # failJSON: { "time": "2013-12-23T21:21:47", "match": true , "host": "183.60.244.49" }
 [Mon Dec 23 21:21:47 2013] [error] [client 183.60.244.49] File does not exist: /var/www/mails, referer: http://www.baidu.com
 # failJSON: { "time": "2013-12-23T21:22:00", "match": true , "host": "183.60.244.49" }
 [Mon Dec 23 21:22:00 2013] [error] [client 183.60.244.49] File does not exist: /var/www/extmail, referer: http://www.baidu.com
 # failJSON: { "time": "2013-12-23T21:22:16", "match": true , "host": "183.60.244.49" }
 [Mon Dec 23 21:22:16 2013] [error] [client 183.60.244.49] File does not exist: /var/www/phpmyadmin, referer: http://www.baidu.com
 # failJSON: { "time": "2014-01-03T14:50:39", "match": false , "host": "92.43.20.165" }
 [Fri Jan 03 14:50:39 2014] [error] [client 92.43.20.165] script '/var/www/forum/mail.php' not found or unable to stat
 # failJSON: { "time": "2014-12-06T09:29:34", "match": false , "host": "122.49.201.178" }
 [Fri Dec 06 09:29:34 2013] [error] [client 122.49.201.178] client denied by server configuration: /var/www/webmail/.htaccess