From c8e82f18b6d58abbe145573bb66ef1081542908a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Franti=C5=A1ek=20=C5=A0um=C5=A1al?= Date: Thu, 29 Jan 2015 17:57:52 +0100 Subject: [PATCH] Add jail nginx-botsearch Jail blocks requests for predefined non-existent folders. Based on apache-botsearch jail. --- config/filter.d/nginx-botsearch.conf | 29 +++++++++++++++++++++++ config/jail.conf | 6 +++++ fail2ban/tests/files/logs/nginx-botsearch | 23 ++++++++++++++++++ 3 files changed, 58 insertions(+) create mode 100644 config/filter.d/nginx-botsearch.conf create mode 100644 fail2ban/tests/files/logs/nginx-botsearch diff --git a/config/filter.d/nginx-botsearch.conf b/config/filter.d/nginx-botsearch.conf new file mode 100644 index 00000000..a45909de --- /dev/null +++ b/config/filter.d/nginx-botsearch.conf @@ -0,0 +1,29 @@ +# Fail2Ban filter to match web requests for selected URLs that don't exist +# + +[Definition] + +failregex = ^ \- \S+ \[\] \"(GET|POST) \/ \S+\" 404 .+$ + ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: \, server\: \S*\, request: \"(GET|POST) \/ \S+\"\, .*?$ + +ignoreregex = + + +[Init] + +# Block is the actual non-found directories to block +block = \/?(|||cgi-bin|mysqladmin)[^,]* + +# These are just convient definitions that assist the blocking of stuff that +# isn't installed +webmail = roundcube|(ext)?mail|horde|(v-?)?webmail + +phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin) + +wordpress = wp-(login|signup)\.php + + +# DEV Notes: +# Based on apache-botsearch filter +# +# Author: Frantisek Sumsal \ No newline at end of file diff --git a/config/jail.conf b/config/jail.conf index 334e3298..ae6a1c59 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -294,6 +294,12 @@ maxretry = 1 port = http,https logpath = %(nginx_error_log)s +[nginx-botsearch] + +port = http,https +logpath = %(nginx_error_log)s +maxretry = 10 +findtime = 300 # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year diff --git a/fail2ban/tests/files/logs/nginx-botsearch b/fail2ban/tests/files/logs/nginx-botsearch new file mode 100644 index 00000000..f1bf05f5 --- /dev/null +++ b/fail2ban/tests/files/logs/nginx-botsearch @@ -0,0 +1,23 @@ +# failJSON: { "time": "2015-01-20T19:53:28", "match": true , "host": "12.34.56.78" } +12.34.56.78 - - [20/Jan/2015:19:53:28 +0100] "GET //phpMyAdmin-2.8.2.3/scripts/setup.php HTTP/1.1" 404 47 "-" "-" "-" + +# failJSON: { "time": "2015-01-20T19:53:28", "match": true , "host": "12.34.56.78" } +12.34.56.78 - - [20/Jan/2015:19:53:28 +0100] "GET //pma/scripts/setup.php HTTP/1.1" 404 47 "-" "-" "-" + +# failJSON: { "time": "2015-01-20T19:53:28", "match": true , "host": "12.34.56.78" } +12.34.56.78 - - [20/Jan/2015:19:53:28 +0100] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 47 "-" "-" "-" + +# failJSON: { "time": "2015-01-20T19:53:28", "match": true , "host": "12.34.56.78" } +12.34.56.78 - - [20/Jan/2015:19:53:28 +0100] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 47 "-" "-" "-" + +# failJSON: { "time": "2015-01-20T01:17:07", "match": true , "host": "7.8.9.10" } +7.8.9.10 - root [20/Jan/2015:01:17:07 +0100] "GET /cgi-bin/recent.cgi HTTP/1.1" 404 162 "-" "-" "-" + +# failJSON: { "time": "2014-12-12T22:59:02", "match": true , "host": "2.5.2.5" } +2.5.2.5 - tomcat [12/Dec/2014:22:59:02 +0100] "GET /cgi-bin/tools/tools.pl HTTP/1.1" 404 162 "-" "-" "-" + +# failJSON: { "time": "2015-01-21T10:56:10", "match": true , "host": "5.7.9.2" } +2015/01/21 10:56:10 [error] 2833#0: *16336 open() "/var/www/site/cgi-bin/php4" failed (2: No such file or directory), client: 5.7.9.2, server: localhost, request: "GET /cgi-bin/php4 HTTP/1.1", host: "1.2.3.4" + +# failJSON: { "time": "2015-01-21T15:02:27", "match": true , "host": "5.7.9.2" } +2015/01/21 15:02:27 [error] 2833#0: *16813 "/var/www/site/roundcube/" is not found (2: No such file or directory), client: 5.7.9.2, server: localhost, request: "GET /roundcube/ HTTP/1.1", host: "1.2.3.4" \ No newline at end of file