Comentarios en: Fail2ban filter for PHP Injection attacks http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html El blog de Buanzo y sus Secuaces Thu, 30 Jun 2011 18:50:28 +0000 hourly 1 http://wordpress.org/?v=3.2 Por: Bharath http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html/comment-page-1#comment-2768 Bharath Wed, 15 Jun 2011 03:48:15 +0000 http://blogs.buanzo.com.ar/?p=5333#comment-2768 I love this feature, can some help me with the ignore regex for the following log entries xxx.xxx.xxx.xxx - - [10/Jun/2011:15:20:39 +0200] "GET /forums/cron.php?rand=1307712039 HTTP/1.1" 200 352 "http://domain.net/forums/externalredirect.php?url=http://foo.com" "Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" I love this feature, can some help me with the ignore regex for the following log entries

xxx.xxx.xxx.xxx – - [10/Jun/2011:15:20:39 +0200] “GET /forums/cron.php?rand=1307712039 HTTP/1.1″ 200 352 “http://domain.net/forums/externalredirect.php?url=http://foo.com” “Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1″

]]> Por: sagichnich http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html/comment-page-1#comment-2689 sagichnich Sun, 27 Feb 2011 03:59:13 +0000 http://blogs.buanzo.com.ar/?p=5333#comment-2689 Nice feature, thank you. However, one need to activate the "action" part or fail2ban won't start. Apache-logs on red hat based system lay at /var/log/httpd/access_log [php-url-fopen] enabled = true #port = http,https filter = php-url-fopen logpath = /var/log/httpd/access_log maxretry = 1 action = iptables-multiport[name=PHP-fopen, port="http,https", protocol=tcp] Nice feature, thank you. However, one need to activate the “action” part or fail2ban won’t start.

Apache-logs on red hat based system lay at /var/log/httpd/access_log

[php-url-fopen]

enabled = true
#port = http,https
filter = php-url-fopen
logpath = /var/log/httpd/access_log
maxretry = 1
action = iptables-multiport[name=PHP-fopen, port="http,https", protocol=tcp]

]]> Por: watt http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html/comment-page-1#comment-2418 watt Tue, 13 Apr 2010 02:19:25 +0000 http://blogs.buanzo.com.ar/?p=5333#comment-2418 I'm on ubuntu 8.04 and don't have any log files in var/www/ folder. What should I replace it with? I’m on ubuntu 8.04 and don’t have any log files in var/www/ folder. What should I replace it with?

]]> Por: Ted Roche’s weblog » Adding Fail2Ban to the web site http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html/comment-page-1#comment-1537 Ted Roche’s weblog » Adding Fail2Ban to the web site Mon, 31 Aug 2009 14:00:40 +0000 http://blogs.buanzo.com.ar/?p=5333#comment-1537 [...] came with configurations for Apache 2 and vsftpd. In their wiki, there was a HOWTO for banning PHP-based file upload attacks, something which had begun to fill the logs with [...] [...] came with configurations for Apache 2 and vsftpd. In their wiki, there was a HOWTO for banning PHP-based file upload attacks, something which had begun to fill the logs with [...]

]]> Por: fasuto http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html/comment-page-1#comment-1489 fasuto Wed, 22 Jul 2009 08:54:04 +0000 http://blogs.buanzo.com.ar/?p=5333#comment-1489 Creo que con tu expresion regular tambien baneas entradas legitimas donde aparezca .php?n=http://**** en el REFERER. Por ejemplo, las entradas que vienen de google images o de banners: xxx.xxx.xxx.xxx - - [20/Jul/2009:06:13:02 +0200] "GET /xxx/index.html HTTP/1.1" 200 9398 "http://images.google.es/imgres?imgurl=http://www.xxxx.com/xy/imagenes/img.jpg&imgrefurl=http://www.xxxx.com/xy/index.htnl&usg=__pCH0q6sy06ssIsB4zJu_YYsqNZE=&h=163&w=227&sz=44&hl=es&start=2&um=1&tbnid=hjOK7M4WBtfFHM:&tbnh=78&tbnw=108&prev=/images%3Fq%3Dpunto%2Boro%26hl%3Des%26client%3Dfirefox-a%26rls%3Dorg.mozilla:es-ES:official%26sa%3DG%26um%3D1" "Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)" Creo que con tu expresion regular tambien baneas entradas legitimas donde aparezca .php?n=http://****
en el REFERER.
Por ejemplo, las entradas que vienen de google images o de banners:

xxx.xxx.xxx.xxx – - [20/Jul/2009:06:13:02 +0200] “GET /xxx/index.html HTTP/1.1″ 200 9398 “http://images.google.es/imgres?imgurl=http://www.xxxx.com/xy/imagenes/img.jpg&imgrefurl=http://www.xxxx.com/xy/index.htnl&usg=__pCH0q6sy06ssIsB4zJu_YYsqNZE=&h=163&w=227&sz=44&hl=es&start=2&um=1&tbnid=hjOK7M4WBtfFHM:&tbnh=78&tbnw=108&prev=/images%3Fq%3Dpunto%2Boro%26hl%3Des%26client%3Dfirefox-a%26rls%3Dorg.mozilla:es-ES:official%26sa%3DG%26um%3D1″ “Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)”

]]>