iT邦幫忙

0

[fail2ban] apache 過濾器怎麼寫? 自己去寫找不出問題

我想實作用fail2ban防護網頁的暴力破解,然後網頁是同學寫的,然後用暴力破解(hydra),錯誤訊息在下面呈現
/var/log/httpd/error_log-20190222
https://ithelp.ithome.com.tw/upload/images/20190223/20115563InafLQYNO7.png

然後用fail2ban內建的過濾器apache-auth去偵測,沒辦法偵測到,所以想自己來寫個filter,但對於python的正規表達式不熟,自己去試一直測不出來,所以想問大家到底要如何去寫

自己去看網站自己寫:<HOST>.* PHP Notice:Undefined index: pwd in /var/www/html/hackerproof/login.php on line 5
但去測fail2ban-regex 沒有match到,我這樣打有那裡不對的嗎?

2 個回答

1
ayu
iT邦好手 5 級 ‧ 2019-02-23 01:11:35
最佳解答
  1. 不要直接就<HOST>開頭
  2. 然後 "PHP Notice:Undefined" 少了一個空白, 應該是"PHP Notice: Undefined"
  3. 然後 client <HOST>.* PHP Notice: Undefined index: \S+ in /var/www/html/hackerproof/login.php on line
smallan iT邦新手 5 級 ‧ 2019-02-23 16:34:20 檢舉

確實前面要加client,然後發現Notice:後面有兩個空白,現在fail2ban-regex可以match到了,感謝!

0
harrytsai
iT邦新手 5 級 ‧ 2019-02-23 09:29:51

fail2ban 他有很多段,不至於擋不到,差別在於他判斷的log是不是你目前程式裡面有寫到的log裡面

detect password authentication failures

[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/httpd/*error_log
maxretry = 6

detect spammer robots crawling email addresses

[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/httpd/*access_log
bantime = 172800
maxretry = 1

detect potential search for exploits and php vulnerabilities

[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/httpd/*error_log
maxretry = 6

detect Apache overflow attempts

[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/httpd/*error_log
maxretry = 2

detect failures to find a home directory on a server

[apache-nohome]
enabled = true
port = http,https
filter = apache-nohome
logpath = /var/log/httpd/*error_log
maxretry = 2

detect failures to execute non-existing scripts that

are associated with several popular web services

e.g. webmail, phpMyAdmin, WordPress

port = http,https
filter = apache-botsearch
logpath = /var/log/httpd/*error_log
maxretry = 2

我要發表回答

立即登入回答