Fail2ban filter for PHP Injection attacks

Aren’t you just tired of the massive amount of PHP Remote Injection attacks registered in your access log? You know, the ones that look like this:

GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm?

Even if you secure your webserver, and set allow_url_fopen = false in php.ini, the attack is still annoying.

Just make sure you save this file to your /etc/fail2ban/filter.d directory, then add this block to jail.conf and restart fail2ban:

[php-url-fopen]

enabled = true
port    = http,https
filter  = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1

And done :)

Artículos relacionados:

Si te gustó este articulo, ¿ Porque no dejas un comentario a continuación y continuas la conversación, o te suscribes a los feeds y recibes los artículos directamente en tu lector?

Comentarios

Creo que con tu expresion regular tambien baneas entradas legitimas donde aparezca .php?n=http://****
en el REFERER.
Por ejemplo, las entradas que vienen de google images o de banners:

xxx.xxx.xxx.xxx – - [20/Jul/2009:06:13:02 +0200] “GET /xxx/index.html HTTP/1.1″ 200 9398 “http://images.google.es/imgres?imgurl=http://www.xxxx.com/xy/imagenes/img.jpg&imgrefurl=http://www.xxxx.com/xy/index.htnl&usg=__pCH0q6sy06ssIsB4zJu_YYsqNZE=&h=163&w=227&sz=44&hl=es&start=2&um=1&tbnid=hjOK7M4WBtfFHM:&tbnh=78&tbnw=108&prev=/images%3Fq%3Dpunto%2Boro%26hl%3Des%26client%3Dfirefox-a%26rls%3Dorg.mozilla:es-ES:official%26sa%3DG%26um%3D1″ “Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)”

[...] came with configurations for Apache 2 and vsftpd. In their wiki, there was a HOWTO for banning PHP-based file upload attacks, something which had begun to fill the logs with [...]

I’m on ubuntu 8.04 and don’t have any log files in var/www/ folder. What should I replace it with?

Nice feature, thank you. However, one need to activate the “action” part or fail2ban won’t start.

Apache-logs on red hat based system lay at /var/log/httpd/access_log

[php-url-fopen]

enabled = true
#port = http,https
filter = php-url-fopen
logpath = /var/log/httpd/access_log
maxretry = 1
action = iptables-multiport[name=PHP-fopen, port="http,https", protocol=tcp]

I love this feature, can some help me with the ignore regex for the following log entries

xxx.xxx.xxx.xxx – - [10/Jun/2011:15:20:39 +0200] “GET /forums/cron.php?rand=1307712039 HTTP/1.1″ 200 352 “http://domain.net/forums/externalredirect.php?url=http://foo.com” “Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1″

Deja un comentario

(requerido)

(requerido)