From 27c40a77a31c4c72b9076f43962debcf8d7d6359 Mon Sep 17 00:00:00 2001 From: stepodev Date: Wed, 25 Nov 2020 20:57:06 +0100 Subject: [PATCH 1/6] add nginx-tls-downgrade --- ChangeLog | 1 + config/filter.d/nginx-tls-fallback.conf | 16 ++++++++++++++++ config/jail.conf | 3 +++ fail2ban/tests/files/logs/nginx-tls-fallback | 9 +++++++++ 4 files changed, 29 insertions(+) create mode 100644 config/filter.d/nginx-tls-fallback.conf create mode 100644 fail2ban/tests/files/logs/nginx-tls-fallback diff --git a/ChangeLog b/ChangeLog index 5f1fc313..bd4a369d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,7 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition * `actioncheck` behavior is changed now (gh-488), so invariant check as well as restore or repair of sane environment (in case of recognized unsane state) would only occur on action errors (e. g. if ban or unban operations are exiting with other code as 0) +* `filter.d/nginx-tls-fallback` -- filter added for tls downgrade probes ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools diff --git a/config/filter.d/nginx-tls-fallback.conf b/config/filter.d/nginx-tls-fallback.conf new file mode 100644 index 00000000..aaa84fb9 --- /dev/null +++ b/config/filter.d/nginx-tls-fallback.conf @@ -0,0 +1,16 @@ +# fail2ban filter configuration for nginx +# Ban people checking for TLS_FALLBACK_SCSV repeatedly +# https://stackoverflow.com/questions/28010492/nginx-critical-error-with-ssl-handshaking/28010608#28010608 + +[Definition] + + +failregex = ^ \[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed.*?ssl3_get_record.*?too.*?, client: , server: \S+$ + +ignoreregex = + +datepattern = {^LN-BEG} + +# Author: Stephan Orlowsky +# maybe not restrictive enough, will also match: +#"[crit] 76952#76952: *5062354 SSL_do_handshake() failed ssl3_get_record too, client: 0.0.0.0, server: thisshouldntmatch" diff --git a/config/jail.conf b/config/jail.conf index 28f259a0..a7818a06 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -397,6 +397,9 @@ logpath = %(nginx_error_log)s port = http,https logpath = %(nginx_access_log)s +[nginx-tls-fallback] +port = http,https +logpath = %(nginx_access_log)s # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year diff --git a/fail2ban/tests/files/logs/nginx-tls-fallback b/fail2ban/tests/files/logs/nginx-tls-fallback new file mode 100644 index 00000000..bd51fbbf --- /dev/null +++ b/fail2ban/tests/files/logs/nginx-tls-fallback @@ -0,0 +1,9 @@ + +# failJSON: { "time": "2020-11-25T14:42:16", "match": true , "host": "142.93.180.14" } +2020/11/25 14:42:16 [crit] 76952#76952: *2454307 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 142.93.180.14, server: 0.0.0.0:443 +# failJSON: { "time": "2020-11-25T15:47:47", "match": true , "host": "80.191.166.166" } +2020/11/25 15:47:47 [crit] 76952#76952: *5062354 SSL_do_handshake() failed (SSL: error:1408F0A0:SSL routines:ssl3_get_record:length too short) while SSL handshaking, client: 80.191.166.166, server: 0.0.0.0:443 +# failJSON: { "time": "2020-11-25T16:48:08", "match": true , "host": "5.126.32.148" } +2020/11/25 16:48:08 [crit] 76952#76952: *7976400 SSL_do_handshake() failed (SSL: error:1408F096:SSL routines:ssl3_get_record:encrypted length too long) while SSL handshaking, client: 5.126.32.148, server: 0.0.0.0:443 +# failJSON: { "time": "2020-11-25T16:02:45", "match": false } +2020/11/25 16:02:45 [error] 76952#76952: *5645766 connect() failed (111: Connection refused) while connecting to upstream, client: 5.126.32.148, server: www.google.de, request: "GET /admin/config HTTP/2.0", upstream: "http://127.0.0.1:3000/admin/config", host: "www.google.de" From c0256724a7b091cba7c774b1774d6e1dc6ee604a Mon Sep 17 00:00:00 2001 From: stepodev Date: Wed, 25 Nov 2020 21:30:21 +0100 Subject: [PATCH 2/6] fix monitoring wrong error log. was access log, should be error.log --- config/jail.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index a7818a06..f7eeeeb8 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -399,7 +399,7 @@ logpath = %(nginx_access_log)s [nginx-tls-fallback] port = http,https -logpath = %(nginx_access_log)s +logpath = %(nginx_error_log)s # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year From d959f6d19926ff2b75322acb008dc692b6a29aa5 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Thu, 26 Nov 2020 12:25:32 +0100 Subject: [PATCH 3/6] Update nginx-tls-fallback.conf more precise and conclusive regex without catch-all's --- config/filter.d/nginx-tls-fallback.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/config/filter.d/nginx-tls-fallback.conf b/config/filter.d/nginx-tls-fallback.conf index aaa84fb9..b9eeac04 100644 --- a/config/filter.d/nginx-tls-fallback.conf +++ b/config/filter.d/nginx-tls-fallback.conf @@ -5,12 +5,10 @@ [Definition] -failregex = ^ \[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed.*?ssl3_get_record.*?too.*?, client: , server: \S+$ +failregex = ^\s*\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: ignoreregex = datepattern = {^LN-BEG} # Author: Stephan Orlowsky -# maybe not restrictive enough, will also match: -#"[crit] 76952#76952: *5062354 SSL_do_handshake() failed ssl3_get_record too, client: 0.0.0.0, server: thisshouldntmatch" From d0ba27cf46411be9104ad5f90e8d39551419fa2a Mon Sep 17 00:00:00 2001 From: stepodev Date: Mon, 30 Nov 2020 12:14:49 +0100 Subject: [PATCH 4/6] move nginx-tls-fallback rules to nginx-http-auth --- ChangeLog | 2 -- config/filter.d/nginx-http-auth.conf | 18 +++++++++++++++++- config/filter.d/nginx-tls-fallback.conf | 14 -------------- config/jail.conf | 4 ---- fail2ban/tests/files/logs/nginx-http-auth | 18 ++++++++++++++++++ fail2ban/tests/files/logs/nginx-tls-fallback | 9 --------- 6 files changed, 35 insertions(+), 30 deletions(-) delete mode 100644 config/filter.d/nginx-tls-fallback.conf delete mode 100644 fail2ban/tests/files/logs/nginx-tls-fallback diff --git a/ChangeLog b/ChangeLog index bd4a369d..f9fb8a33 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,8 +21,6 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition * `actioncheck` behavior is changed now (gh-488), so invariant check as well as restore or repair of sane environment (in case of recognized unsane state) would only occur on action errors (e. g. if ban or unban operations are exiting with other code as 0) -* `filter.d/nginx-tls-fallback` -- filter added for tls downgrade probes - ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools ----------- diff --git a/config/filter.d/nginx-http-auth.conf b/config/filter.d/nginx-http-auth.conf index 93341cd2..d5655fa8 100644 --- a/config/filter.d/nginx-http-auth.conf +++ b/config/filter.d/nginx-http-auth.conf @@ -3,15 +3,31 @@ [Definition] +mdre-auth = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$ +mdre-fallback = ^\s*\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: -failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$ + +mdre-normal = %(mdre-auth)s +mdre-aggressive = %(mdre-auth)s + %(mdre-fallback)s + +failregex = > ignoreregex = datepattern = {^LN-BEG} +mode = normal + # DEV NOTES: +# mdre-auth: # Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files # Extensive search of all nginx auth failures not done yet. # # Author: Daniel Black + +# mdre-fallback: +# Ban people checking for TLS_FALLBACK_SCSV repeatedly +# https://stackoverflow.com/questions/28010492/nginx-critical-error-with-ssl-handshaking/28010608#28010608 +# Author: Stephan Orlowsky + diff --git a/config/filter.d/nginx-tls-fallback.conf b/config/filter.d/nginx-tls-fallback.conf deleted file mode 100644 index b9eeac04..00000000 --- a/config/filter.d/nginx-tls-fallback.conf +++ /dev/null @@ -1,14 +0,0 @@ -# fail2ban filter configuration for nginx -# Ban people checking for TLS_FALLBACK_SCSV repeatedly -# https://stackoverflow.com/questions/28010492/nginx-critical-error-with-ssl-handshaking/28010608#28010608 - -[Definition] - - -failregex = ^\s*\[crit\] \d+#\d+: \*\d+ SSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: - -ignoreregex = - -datepattern = {^LN-BEG} - -# Author: Stephan Orlowsky diff --git a/config/jail.conf b/config/jail.conf index f7eeeeb8..3d971892 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -397,10 +397,6 @@ logpath = %(nginx_error_log)s port = http,https logpath = %(nginx_access_log)s -[nginx-tls-fallback] -port = http,https -logpath = %(nginx_error_log)s - # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. diff --git a/fail2ban/tests/files/logs/nginx-http-auth b/fail2ban/tests/files/logs/nginx-http-auth index c9c96807..fb24b242 100644 --- a/fail2ban/tests/files/logs/nginx-http-auth +++ b/fail2ban/tests/files/logs/nginx-http-auth @@ -1,3 +1,4 @@ +# filterOptions: [{"mode": "normal"}, {"mode": "auth"}] # failJSON: { "time": "2012-04-09T11:53:29", "match": true , "host": "192.0.43.10" } 2012/04/09 11:53:29 [error] 2865#0: *66647 user "xyz" was not found in "/var/www/.htpasswd", client: 192.0.43.10, server: www.myhost.com, request: "GET / HTTP/1.1", host: "www.myhost.com" @@ -11,3 +12,20 @@ 2014/04/03 22:20:38 [error] 30708#0: *3 user "scriben dio": password mismatch, client: 192.0.2.1, server: , request: "GET / HTTP/1.1", host: "localhost:8443" # failJSON: { "time": "2014-04-03T22:20:40", "match": true, "host": "192.0.2.2", "desc": "trying injection on user name"} 2014/04/03 22:20:40 [error] 30708#0: *3 user "test": password mismatch, client: 127.0.0.1, server: test, request: "GET / HTTP/1.1", host: "localhost:8443"": was not found in "/etc/nginx/.htpasswd", client: 192.0.2.2, server: , request: "GET / HTTP/1.1", host: "localhost:8443" + +# filterOptions: [{"mode": "fallback"}] + +# failJSON: { "time": "2020-11-25T14:42:16", "match": true , "host": "142.93.180.14" } +2020/11/25 14:42:16 [crit] 76952#76952: *2454307 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 142.93.180.14, server: 0.0.0.0:443 +# failJSON: { "time": "2020-11-25T15:47:47", "match": true , "host": "80.191.166.166" } +2020/11/25 15:47:47 [crit] 76952#76952: *5062354 SSL_do_handshake() failed (SSL: error:1408F0A0:SSL routines:ssl3_get_record:length too short) while SSL handshaking, client: 80.191.166.166, server: 0.0.0.0:443 +# failJSON: { "time": "2020-11-25T16:48:08", "match": true , "host": "5.126.32.148" } +2020/11/25 16:48:08 [crit] 76952#76952: *7976400 SSL_do_handshake() failed (SSL: error:1408F096:SSL routines:ssl3_get_record:encrypted length too long) while SSL handshaking, client: 5.126.32.148, server: 0.0.0.0:443 +# failJSON: { "time": "2020-11-25T16:02:45", "match": false } +2020/11/25 16:02:45 [error] 76952#76952: *5645766 connect() failed (111: Connection refused) while connecting to upstream, client: 5.126.32.148, server: www.google.de, request: "GET /admin/config HTTP/2.0", upstream: "http://127.0.0.1:3000/admin/config", host: "www.google.de" + +# filterOptions: [{"mode": "aggressive"}] +# failJSON: { "time": "2020-11-25T14:42:16", "match": true , "host": "142.93.180.14" } +2020/11/25 14:42:16 [crit] 76952#76952: *2454307 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 142.93.180.14, server: 0.0.0.0:443 +# failJSON: { "time": "2012-04-09T11:53:29", "match": true , "host": "192.0.43.10" } +2012/04/09 11:53:29 [error] 2865#0: *66647 user "xyz" was not found in "/var/www/.htpasswd", client: 192.0.43.10, server: www.myhost.com, request: "GET / HTTP/1.1", host: "www.myhost.com" diff --git a/fail2ban/tests/files/logs/nginx-tls-fallback b/fail2ban/tests/files/logs/nginx-tls-fallback deleted file mode 100644 index bd51fbbf..00000000 --- a/fail2ban/tests/files/logs/nginx-tls-fallback +++ /dev/null @@ -1,9 +0,0 @@ - -# failJSON: { "time": "2020-11-25T14:42:16", "match": true , "host": "142.93.180.14" } -2020/11/25 14:42:16 [crit] 76952#76952: *2454307 SSL_do_handshake() failed (SSL: error:1408F0C6:SSL routines:ssl3_get_record:packet length too long) while SSL handshaking, client: 142.93.180.14, server: 0.0.0.0:443 -# failJSON: { "time": "2020-11-25T15:47:47", "match": true , "host": "80.191.166.166" } -2020/11/25 15:47:47 [crit] 76952#76952: *5062354 SSL_do_handshake() failed (SSL: error:1408F0A0:SSL routines:ssl3_get_record:length too short) while SSL handshaking, client: 80.191.166.166, server: 0.0.0.0:443 -# failJSON: { "time": "2020-11-25T16:48:08", "match": true , "host": "5.126.32.148" } -2020/11/25 16:48:08 [crit] 76952#76952: *7976400 SSL_do_handshake() failed (SSL: error:1408F096:SSL routines:ssl3_get_record:encrypted length too long) while SSL handshaking, client: 5.126.32.148, server: 0.0.0.0:443 -# failJSON: { "time": "2020-11-25T16:02:45", "match": false } -2020/11/25 16:02:45 [error] 76952#76952: *5645766 connect() failed (111: Connection refused) while connecting to upstream, client: 5.126.32.148, server: www.google.de, request: "GET /admin/config HTTP/2.0", upstream: "http://127.0.0.1:3000/admin/config", host: "www.google.de" From cecc3d62ffac65b3545f665dee51eff58c3a7f6e Mon Sep 17 00:00:00 2001 From: stepodev Date: Mon, 30 Nov 2020 12:26:32 +0100 Subject: [PATCH 5/6] add mode explanation to nginx-http-auth in jail.conf --- config/jail.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/jail.conf b/config/jail.conf index 3d971892..1b82b648 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -375,8 +375,11 @@ banaction = %(banaction_allports)s logpath = /opt/openhab/logs/request.log +# To use more aggressive http-auth modes set filter parameter "mode" in jail.local: +# normal (default), aggressive (combines all), auth or fallback +# See "tests/files/logs/nginx-http-auth" or "filter.d/nginx-http-auth.conf" for usage example and details. [nginx-http-auth] - +# mode = normal port = http,https logpath = %(nginx_error_log)s From c5d43d7573437e401f991a782e106a851ef9975d Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Sun, 4 Apr 2021 00:00:59 +0200 Subject: [PATCH 6/6] Update ChangeLog --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index f9fb8a33..56b8c757 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,9 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition * `actioncheck` behavior is changed now (gh-488), so invariant check as well as restore or repair of sane environment (in case of recognized unsane state) would only occur on action errors (e. g. if ban or unban operations are exiting with other code as 0) +* `filter.d/nginx-http-auth.conf` - extended with parameter mode, so additionally to `auth` (or `normal`) + mode `fallback` (or combined as `aggressive`) can find SSL errors while SSL handshaking, gh-2881 + ver. 0.11.2 (2020/11/23) - heal-the-world-with-security-tools -----------