github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #818 from slowriot/master 

adding filter to detect Shellshock attack attempts with Apache
pull/809/merge
Yaroslav Halchenko 2014-09-29 09:32:21 -04:00
parent bfaf33b6ba 5d526bbeb1
commit b912d61ccb
5 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -57,6 +57,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
- New filters: - New filters:
- monit Thanks Jason H Martin - monit Thanks Jason H Martin
- directadmin Thanks niorg - directadmin Thanks niorg
- apache-shellshock Thanks Eugene Hopkinson (SlowRiot)
- New actions: - New actions:
- symbiosis-blacklist-allports for Bytemark symbiosis firewall - symbiosis-blacklist-allports for Bytemark symbiosis firewall
- fail2ban-client can fetch the running server version - fail2ban-client can fetch the running server version

1
THANKS
View File

@ -34,6 +34,7 @@ David Nutter
Derek Atkins Derek Atkins
Eric Gerbier Eric Gerbier
Enrico Labedzki Enrico Labedzki
Eugene Hopkinson (SlowRiot)
ftoppi ftoppi
François Boulogne François Boulogne
Frédéric Frédéric

26
config/filter.d/apache-shellshock.conf Normal file
View File

@ -0,0 +1,26 @@
# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug
#
#
[INCLUDES]
# overwrite with apache-common.local if _apache_error_client is incorrect.
before = apache-common.conf
[Definition]
failregex = ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: warning: HTTP_.*?: ignoring function definition attempt(, referer: \S+)?\s*$
^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: error importing function definition for `HTTP_.*?'(, referer: \S+)?\s*$
ignoreregex =
# DEV Notes:
#
# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
#
# example log lines:
# [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt
# [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST'
#
# Author: Eugene Hopkinson (riot@riot.so)

5
config/jail.conf
View File

@ -283,6 +283,11 @@ port = http,https
logpath = %(apache_error_log)s logpath = %(apache_error_log)s
maxretry = 2 maxretry = 2
[apache-shellshock]
port = http,https
logpath = $(apache_error_log)s
maxretry = 1
[nginx-http-auth] [nginx-http-auth]

4
fail2ban/tests/files/logs/apache-shellshock Normal file
View File

@ -0,0 +1,4 @@
# failJSON: { "time": "2014-09-25T09:27:18", "match": true , "host": "89.207.132.76" }
[Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt
# failJSON: { "time": "2014-09-25T09:29:56", "match": true , "host": "162.247.73.206" }
[Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST'