Mercurial > repos > other > Puppet

diff common/fail2ban/ibb-apache-exploits-instaban.conf @ 0:956e484adc12

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Initial public release of Puppet configs
author IBBoard <dev@ibboard.co.uk>
date Sat, 16 Aug 2014 19:47:38 +0000
parents
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/common/fail2ban/ibb-apache-exploits-instaban.conf	Sat Aug 16 19:47:38 2014 +0000
@@ -0,0 +1,51 @@
+# Fail2Ban configuration file
+#
+# Author: IBBoard
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex =	^<HOST> .*"(?:GET|HEAD|POST) .*/proc/self/environ.*"
+		^<HOST> .*"(?:GET|HEAD|POST) /w00tw00t\.at\..+\:\).*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?module=http(?:s)?:.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?write.phpdir=http(?:s)?:.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?src=http(?:s)?:.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*ivrrecording.php.*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?php=info&ip=uname.*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?input_file=http(?:s)?://.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?dir=http(?:s)?://.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?f=http(?:s)?://.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*([\+-]{5,})Result.*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*onmousedown=%%22
+		^<HOST> .*"(?:GET|HEAD|POST) .*/bin/msgimport.*"
+		^<HOST> .* " " [2-5]
+		^<HOST> .*"(?:GET|HEAD|POST) .*//filemanager/.*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*//php[Mm]y[Aa]dmin.*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*///wp-content/themes/.*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?[^"]+union(?:%%20|\+)select.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?[[^"]+\+(?:and|or)\+(?:1|%%2[27][xy]%%2[27])%%3D(?:1|%%2[27][xy]%%2[27]).*
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?[^"]+\?\?\?
+		^<HOST> .*"(?:GET|HEAD|POST) .*%%5BPLM=.*
+		^<HOST> .*"(?:GET|HEAD|POST) /config/[^\.]+\.php\?[^"]+&sid=[a-z0-9]+
+		^<HOST> .*\?.*(?:\.\./|%%2E%%2E%%2F){3,}.*%%00
+                ^<HOST> .*"\\x16\\x03\\x01"
+		^<HOST> .*"PROPFIND /[^%%/"]%%24
+		^<HOST> .*"(?:GET|HEAD|POST) /manager/status [^"]*" 404
+		^<HOST> .*"(?:GET|HEAD|POST) [^"]*allow_url_include%%3d1.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*php://.*
+		^<HOST> .*"CONNECT
+		^<HOST> .*"POST "
+		^<HOST> .*"(?:GET|POST) /[^"]+\.php.*174\.123\.231\.2(?:29|30)
+		^<HOST> .*"(?:GET|HEAD|POST)[^"]+" 402
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =