move nginx-tls-fallback rules to nginx-http-auth

2020-11-30 12:14:49 +01:00 · 2020-11-30 12:14:49 +01:00 · d0ba27cf46
parent d959f6d199
commit d0ba27cf46
6 changed files with 35 additions and 30 deletions
--- a/2
+++ b/2
@ -21,8 +21,6 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition
 * `actioncheck` behavior is changed now (gh-488), so invariant check as well as restore or repair
   of sane environment (in case of recognized unsane state) would only occur on action errors (e. g.
   if ban or unban operations are exiting with other code as 0)
-* `filter.d/nginx-tls-fallback` -- filter added for tls downgrade probes
-

 ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools
 -----------
--- a/config/filter.d/nginx-http-auth.conf
+++ b/config/filter.d/nginx-http-auth.conf
@ -3,15 +3,31 @@

 [Definition]

+mdre-auth = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
+mdre-fallback = ^\s*\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>

-failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
+
+mdre-normal = %(mdre-auth)s
+mdre-aggressive = %(mdre-auth)s
+                  %(mdre-fallback)s
+
+failregex = <mdre-<mode>>

 ignoreregex = 

 datepattern = {^LN-BEG}

+mode = normal
+
 # DEV NOTES:
+# mdre-auth:
 # Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
 # Extensive search of all nginx auth failures not done yet.
 # 
 # Author: Daniel Black
+
+# mdre-fallback:
+# Ban people checking for TLS_FALLBACK_SCSV repeatedly
+# https://stackoverflow.com/questions/28010492/nginx-critical-error-with-ssl-handshaking/28010608#28010608
+# Author: Stephan Orlowsky
+
--- a/config/filter.d/nginx-tls-fallback.conf
+++ b/config/filter.d/nginx-tls-fallback.conf
@ -1,14 +0,0 @@
-# fail2ban filter configuration for nginx
-# Ban people checking for TLS_FALLBACK_SCSV repeatedly
-# https://stackoverflow.com/questions/28010492/nginx-critical-error-with-ssl-handshaking/28010608#28010608
-
-[Definition]
-
-
-failregex = ^\s*\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: <HOST>
-
-ignoreregex = 
-
-datepattern = {^LN-BEG}
-
-# Author: Stephan Orlowsky
--- a/config/jail.conf
+++ b/config/jail.conf
@ -397,10 +397,6 @@ logpath  = %(nginx_error_log)s
 port    = http,https
 logpath = %(nginx_access_log)s

-[nginx-tls-fallback]
-port    = http,https
-logpath = %(nginx_error_log)s
-
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
 # of usage in production environments.
--- a/fail2ban/tests/files/logs/nginx-http-auth
+++ b/fail2ban/tests/files/logs/nginx-http-auth
@ -1,3 +1,4 @@
+# filterOptions: [{"mode": "normal"}, {"mode": "auth"}]

 # failJSON: { "time": "2012-04-09T11:53:29", "match": true , "host": "192.0.43.10" }
 2012/04/09 11:53:29 [error] 2865#0: *66647 user "xyz" was not found in "/var/www/.htpasswd", client: 192.0.43.10, server: www.myhost.com, request: "GET / HTTP/1.1", host: "www.myhost.com"
@ -11,3 +12,20 @@
 2014/04/03 22:20:38 [error] 30708#0: *3 user "scriben dio": password mismatch, client: 192.0.2.1, server: , request: "GET / HTTP/1.1", host: "localhost:8443"
 # failJSON: { "time": "2014-04-03T22:20:40", "match": true, "host": "192.0.2.2", "desc": "trying injection on user name"}
 2014/04/03 22:20:40 [error] 30708#0: *3 user "test": password mismatch, client: 127.0.0.1, server: test, request: "GET / HTTP/1.1", host: "localhost:8443"": was not found in "/etc/nginx/.htpasswd", client: 192.0.2.2, server: , request: "GET / HTTP/1.1", host: "localhost:8443"
+
+# filterOptions: [{"mode": "fallback"}]
+
+# failJSON: { "time": "2020-11-25T14:42:16", "match": true , "host": "142.93.180.14" }
+2020/11/25 14:42:16 [crit] 76952#76952: *2454307 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 142.93.180.14, server: 0.0.0.0:443
+# failJSON: { "time": "2020-11-25T15:47:47", "match": true , "host": "80.191.166.166" }
+2020/11/25 15:47:47 [crit] 76952#76952: *5062354 SSL_do_handshake() failed (SSL: error:1408F0A0:SSL routines:ssl3_get_record:length too short) while SSL handshaking, client: 80.191.166.166, server: 0.0.0.0:443
+# failJSON: { "time": "2020-11-25T16:48:08", "match": true , "host": "5.126.32.148" }
+2020/11/25 16:48:08 [crit] 76952#76952: *7976400 SSL_do_handshake() failed (SSL: error:1408F096:SSL routines:ssl3_get_record:encrypted length too long) while SSL handshaking, client: 5.126.32.148, server: 0.0.0.0:443
+# failJSON: { "time": "2020-11-25T16:02:45", "match": false }
+2020/11/25 16:02:45 [error] 76952#76952: *5645766 connect() failed (111: Connection refused) while connecting to upstream, client: 5.126.32.148, server: www.google.de, request: "GET /admin/config HTTP/2.0", upstream: "http://127.0.0.1:3000/admin/config", host: "www.google.de"
+
+# filterOptions: [{"mode": "aggressive"}]
+# failJSON: { "time": "2020-11-25T14:42:16", "match": true , "host": "142.93.180.14" }
+2020/11/25 14:42:16 [crit] 76952#76952: *2454307 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 142.93.180.14, server: 0.0.0.0:443
+# failJSON: { "time": "2012-04-09T11:53:29", "match": true , "host": "192.0.43.10" }
+2012/04/09 11:53:29 [error] 2865#0: *66647 user "xyz" was not found in "/var/www/.htpasswd", client: 192.0.43.10, server: www.myhost.com, request: "GET / HTTP/1.1", host: "www.myhost.com"
--- a/fail2ban/tests/files/logs/nginx-tls-fallback
+++ b/fail2ban/tests/files/logs/nginx-tls-fallback
@ -1,9 +0,0 @@
-
-# failJSON: { "time": "2020-11-25T14:42:16", "match": true , "host": "142.93.180.14" }
-2020/11/25 14:42:16 [crit] 76952#76952: *2454307 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 142.93.180.14, server: 0.0.0.0:443
-# failJSON: { "time": "2020-11-25T15:47:47", "match": true , "host": "80.191.166.166" }
-2020/11/25 15:47:47 [crit] 76952#76952: *5062354 SSL_do_handshake() failed (SSL: error:1408F0A0:SSL routines:ssl3_get_record:length too short) while SSL handshaking, client: 80.191.166.166, server: 0.0.0.0:443
-# failJSON: { "time": "2020-11-25T16:48:08", "match": true , "host": "5.126.32.148" }
-2020/11/25 16:48:08 [crit] 76952#76952: *7976400 SSL_do_handshake() failed (SSL: error:1408F096:SSL routines:ssl3_get_record:encrypted length too long) while SSL handshaking, client: 5.126.32.148, server: 0.0.0.0:443
-# failJSON: { "time": "2020-11-25T16:02:45", "match": false }
-2020/11/25 16:02:45 [error] 76952#76952: *5645766 connect() failed (111: Connection refused) while connecting to upstream, client: 5.126.32.148, server: www.google.de, request: "GET /admin/config HTTP/2.0", upstream: "http://127.0.0.1:3000/admin/config", host: "www.google.de"