Fail2ban filter for PHP Injection attacks
Aren’t you just tired of the massive amount of PHP Remote Injection attacks registered in your access log? You know, the ones that look like this:
GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm?
Even if you secure your webserver, and set allow_url_fopen = false in php.ini, the attack is still annoying.
Just make sure you save this file to your /etc/fail2ban/filter.d directory, then add this block to jail.conf and restart fail2ban:
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1
And done 
Artículos relacionados:
- Fail2ban rules for lighttpd fastcgi alerts
- fail2ban patch: ban IP address manually
- I’m now a fail2ban developer :D
- Enigform for Apache: mod_auth_openpgp
- mod_auth_openpgp 0.2.0 released
Si te gustó este articulo, ¿ Porque no dejas un comentario a continuación y continuas la conversación, o te suscribes a los feeds y recibes los artículos directamente en tu lector?
Creo que con tu expresion regular tambien baneas entradas legitimas donde aparezca .php?n=http://****
en el REFERER.
Por ejemplo, las entradas que vienen de google images o de banners:
xxx.xxx.xxx.xxx – - [20/Jul/2009:06:13:02 +0200] “GET /xxx/index.html HTTP/1.1″ 200 9398 “http://images.google.es/imgres?imgurl=http://www.xxxx.com/xy/imagenes/img.jpg&imgrefurl=http://www.xxxx.com/xy/index.htnl&usg=__pCH0q6sy06ssIsB4zJu_YYsqNZE=&h=163&w=227&sz=44&hl=es&start=2&um=1&tbnid=hjOK7M4WBtfFHM:&tbnh=78&tbnw=108&prev=/images%3Fq%3Dpunto%2Boro%26hl%3Des%26client%3Dfirefox-a%26rls%3Dorg.mozilla:es-ES:official%26sa%3DG%26um%3D1″ “Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)”