From 4f636eb0e3295ee1e8a35f1398926e95ab8b39ba Mon Sep 17 00:00:00 2001 From: SlowRiot Date: Fri, 26 Sep 2014 16:25:07 +0100 Subject: [PATCH 1/4] adding filter to detect Shellshock attack attempts against bash scripts through apache. See http://seclists.org/oss-sec/2014/q3/650 --- config/filter.d/apache-shellshock.conf | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 config/filter.d/apache-shellshock.conf diff --git a/config/filter.d/apache-shellshock.conf b/config/filter.d/apache-shellshock.conf new file mode 100644 index 00000000..39df1704 --- /dev/null +++ b/config/filter.d/apache-shellshock.conf @@ -0,0 +1,26 @@ +# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug +# +# + +[INCLUDES] + +# overwrite with apache-common.local if _apache_error_client is incorrect. +before = apache-common.conf + +[Definition] + +failregex = ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: warning: HTTP_.*?: ignoring function definition attempt(, referer: \S+)?\s*$ + ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: error importing function definition for `HTTP_.*?'(, referer: \S+)?\s*$ + +ignoreregex = + + +# DEV Notes: +# +# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs +# +# example log lines: +# [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt +# [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST' +# +# Author: Eugene Hopkinson (riot@riot.so) From fc5f729f01dfaa8aae21e7f7a9603caf2e6fa626 Mon Sep 17 00:00:00 2001 From: SlowRiot Date: Fri, 26 Sep 2014 16:37:50 +0100 Subject: [PATCH 2/4] adding jail conf for shellshock filter --- config/jail.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index c48e6a7b..99729350 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -283,6 +283,11 @@ port = http,https logpath = %(apache_error_log)s maxretry = 2 +[apache-shellshock] + +port = http,https +logpath = $(apache_error_log)s +maxretry = 1 [nginx-http-auth] From 7b5dc9f24f5624ebe6d42048b3e81920a214c7fe Mon Sep 17 00:00:00 2001 From: SlowRiot Date: Fri, 26 Sep 2014 18:48:56 +0100 Subject: [PATCH 3/4] adding test case, changelog and thanks entries for apache shellshock filter --- ChangeLog | 1 + THANKS | 1 + 2 files changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 1a98c1a0..d92aec4a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -57,6 +57,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger - New filters: - monit Thanks Jason H Martin - directadmin Thanks niorg + - apache-shellshock Thanks Eugene Hopkinson (SlowRiot) - New actions: - symbiosis-blacklist-allports for Bytemark symbiosis firewall - fail2ban-client can fetch the running server version diff --git a/THANKS b/THANKS index 42887a05..0433f7ed 100644 --- a/THANKS +++ b/THANKS @@ -34,6 +34,7 @@ David Nutter Derek Atkins Eric Gerbier Enrico Labedzki +Eugene Hopkinson (SlowRiot) ftoppi François Boulogne Frédéric From 5d526bbeb15d484039c86ce655e42ce31b462714 Mon Sep 17 00:00:00 2001 From: SlowRiot Date: Mon, 29 Sep 2014 00:49:22 +0100 Subject: [PATCH 4/4] forgot to add test case to last commit --- fail2ban/tests/files/logs/apache-shellshock | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 fail2ban/tests/files/logs/apache-shellshock diff --git a/fail2ban/tests/files/logs/apache-shellshock b/fail2ban/tests/files/logs/apache-shellshock new file mode 100644 index 00000000..0acf4546 --- /dev/null +++ b/fail2ban/tests/files/logs/apache-shellshock @@ -0,0 +1,4 @@ +# failJSON: { "time": "2014-09-25T09:27:18", "match": true , "host": "89.207.132.76" } +[Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt +# failJSON: { "time": "2014-09-25T09:29:56", "match": true , "host": "162.247.73.206" } +[Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST'