Mercurial > repos > other > Puppet
view common/fail2ban/ibb-apache-exploits-instaban.conf @ 35:1bb941522ebf puppet-3.6
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Sat, 14 Mar 2015 20:01:17 +0000 |
parents | 956e484adc12 |
children |
line wrap: on
line source
# Fail2Ban configuration file # # Author: IBBoard [Definition] # Option: failregex # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = ^<HOST> .*"(?:GET|HEAD|POST) .*/proc/self/environ.*" ^<HOST> .*"(?:GET|HEAD|POST) /w00tw00t\.at\..+\:\).*" ^<HOST> .*"(?:GET|HEAD|POST) .*\?module=http(?:s)?:.* ^<HOST> .*"(?:GET|HEAD|POST) .*\?write.phpdir=http(?:s)?:.* ^<HOST> .*"(?:GET|HEAD|POST) .*\?src=http(?:s)?:.* ^<HOST> .*"(?:GET|HEAD|POST) .*ivrrecording.php.*" ^<HOST> .*"(?:GET|HEAD|POST) .*\?php=info&ip=uname.*" ^<HOST> .*"(?:GET|HEAD|POST) .*\?input_file=http(?:s)?://.* ^<HOST> .*"(?:GET|HEAD|POST) .*\?dir=http(?:s)?://.* ^<HOST> .*"(?:GET|HEAD|POST) .*\?f=http(?:s)?://.* ^<HOST> .*"(?:GET|HEAD|POST) .*([\+-]{5,})Result.*" ^<HOST> .*"(?:GET|HEAD|POST) .*onmousedown=%%22 ^<HOST> .*"(?:GET|HEAD|POST) .*/bin/msgimport.*" ^<HOST> .* " " [2-5] ^<HOST> .*"(?:GET|HEAD|POST) .*//filemanager/.*" ^<HOST> .*"(?:GET|HEAD|POST) .*//php[Mm]y[Aa]dmin.*" ^<HOST> .*"(?:GET|HEAD|POST) .*///wp-content/themes/.*" ^<HOST> .*"(?:GET|HEAD|POST) .*\?[^"]+union(?:%%20|\+)select.* ^<HOST> .*"(?:GET|HEAD|POST) .*\?[[^"]+\+(?:and|or)\+(?:1|%%2[27][xy]%%2[27])%%3D(?:1|%%2[27][xy]%%2[27]).* ^<HOST> .*"(?:GET|HEAD|POST) .*\?[^"]+\?\?\? ^<HOST> .*"(?:GET|HEAD|POST) .*%%5BPLM=.* ^<HOST> .*"(?:GET|HEAD|POST) /config/[^\.]+\.php\?[^"]+&sid=[a-z0-9]+ ^<HOST> .*\?.*(?:\.\./|%%2E%%2E%%2F){3,}.*%%00 ^<HOST> .*"\\x16\\x03\\x01" ^<HOST> .*"PROPFIND /[^%%/"]%%24 ^<HOST> .*"(?:GET|HEAD|POST) /manager/status [^"]*" 404 ^<HOST> .*"(?:GET|HEAD|POST) [^"]*allow_url_include%%3d1.* ^<HOST> .*"(?:GET|HEAD|POST) .*php://.* ^<HOST> .*"CONNECT ^<HOST> .*"POST " ^<HOST> .*"(?:GET|POST) /[^"]+\.php.*174\.123\.231\.2(?:29|30) ^<HOST> .*"(?:GET|HEAD|POST)[^"]+" 402 # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =