On 4/17/2021 8:03 AM, Lentes, Bernd wrote:
Hi,
if you have a webserver running on port 80 or 443 you see a lot of people
trying to find applications, php-frontends or stuff like that with default
passwords or known vulnerabilities.
Most of them get status codes like 401, 403 or 404.
Is there a way to create jails when someone gets some of these codes in a
certain time ?
Thanks.
Bernd
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
I myself briefly considered the idea of banning on the basis of http
status codes, but quickly realized it would have the problem that Peter
Heirich describes.
However, I also dislike the idea of using mod security (which I do run)
because it also has some of the same problems as the http codes.
After studying the logs a bit, I found that most of the attempted
exploits are easily recognized and, in fact, most of them involve a
dependence on presence of various subdirectories on the server. The
filters are very easy to write. I am currently using the following
filter against apache access logs:
[Definition]
ignoreregex =
datepattern = ^[^\[]*\[({DATE})
failregex = ^<HOST> \|[^"]*"GET /.*HelloThink
^<HOST> \|[^"]*"GET
/(solr|vendor|console|debug|remote|_profiler|Autodiscover|wp-content|_ignition)/
NOTE: The first "|" in each regex line is dependent on the fact that my
access logs use that character as a field separator.
The exploits that depend on a subdirectory are caught by the long "OR"
expression on the second filter line. (The list of the names in the OR
expression keeps growing.)
This approach has the advantage that it targets the precise group that
is attempting to take over my machine, because it recognizes the
patterns of known attempts. Of course, none of the exploits will
actually work on my Linux server, but they do spam several logs. More
importantly, the same actors could potentially in the future find a way
to penetrate my system due to a new exploit that hasn't yet been
patched. But jailing them on one of these failed attempts can
conceivably save me.
Phil
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
