mirror of https://github.com/fail2ban/fail2ban
29 lines
1020 B
Plaintext
29 lines
1020 B
Plaintext
# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug
|
|
#
|
|
#
|
|
|
|
[INCLUDES]
|
|
|
|
# overwrite with apache-common.local if _apache_error_client is incorrect.
|
|
before = apache-common.conf
|
|
|
|
[Definition]
|
|
|
|
prefregex = ^%(_apache_error_client)s (AH01215: )?/bin/([bd]a)?sh: <F-CONTENT>.+</F-CONTENT>$
|
|
|
|
failregex = ^warning: HTTP_[^:]+: ignoring function definition attempt(, referer: \S+)?\s*$
|
|
^error importing function definition for `HTTP_[^']+'(, referer: \S+)?\s*$
|
|
|
|
ignoreregex =
|
|
|
|
|
|
# DEV Notes:
|
|
#
|
|
# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
|
|
#
|
|
# example log lines:
|
|
# [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt
|
|
# [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST'
|
|
#
|
|
# Author: Eugene Hopkinson (e.hopkinson@gmail.com)
|