added two new filter files (PHP url_fopen, lighttpd fastcgi alerts), updated MANIFEST and jail.conf accordingly

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@742 a942ae1a-1317-0410-a47c-b1dcaea8d605
2009-08-30 14:17:29 +00:00 · 2009-08-30 14:17:29 +00:00 · dde7afe1f3
parent 9c05632dd8
commit dde7afe1f3
4 changed files with 71 additions and 0 deletions
--- a/2
+++ b/2
@ -122,3 +122,5 @@ files/cacti/cacti_host_template_fail2ban.xml
 files/cacti/README
 files/nagios/check_fail2ban
 files/nagios/f2ban.txt
+config/filter.d/lighttpd-fastcgi.conf 
+config/filter.d/php-url-fopen.conf
--- a/config/filter.d/lighttpd-fastcgi.conf
+++ b/config/filter.d/lighttpd-fastcgi.conf
@ -0,0 +1,18 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match ALERTS as notified by lighttpd's FastCGI Module
+# Values:  TEXT
+#
+failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- a/config/filter.d/php-url-fopen.conf
+++ b/config/filter.d/php-url-fopen.conf
@ -0,0 +1,23 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
+# Version 2
+# fixes the failregex so REFERERS that contain =http:// don't get blocked
+# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
+# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match this kind of request:
+#
+# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
+#
+failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- a/config/jail.conf
+++ b/config/jail.conf
@ -152,6 +152,34 @@ action   = shorewall
           sendmail[name=Postfix, dest=you@mail.com]
 logpath  = /var/log/apache2/error_log

+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+enabled = false
+port    = http,https
+filter  = php-url-fopen
+logpath = /var/www/*/logs/access_log
+maxretry = 1
+
+# A simple PHP-fastcgi jail which works with lighttpd.
+# If you run a lighttpd server, then you probably will
+# find these kinds of messages in your error_log:
+# ALERT – tried to register forbidden variable ‘GLOBALS’
+# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
+# This jail would block the IP 1.2.3.4.
+
+[lighttpd-fastcgi]
+
+enabled = true
+port    = http,https
+filter  = lighttpd-fastcgi
+# adapt the following two items as needed
+logpath = /var/log/lighttpd/error.log
+maxretry = 2
+
 # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
 # option is overridden in this jail. Moreover, the action "mail-whois" defines
 # the variable "name" which contains a comma using "". The characters '' are