view common/fail2ban/ibb-apache-exploits-instaban.conf @ 35:1bb941522ebf puppet-3.6

Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
author IBBoard <dev@ibboard.co.uk>
date Sat, 14 Mar 2015 20:01:17 +0000
parents 956e484adc12
children
line wrap: on
line source

# Fail2Ban configuration file
#
# Author: IBBoard

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex =	^<HOST> .*"(?:GET|HEAD|POST) .*/proc/self/environ.*"
		^<HOST> .*"(?:GET|HEAD|POST) /w00tw00t\.at\..+\:\).*"
		^<HOST> .*"(?:GET|HEAD|POST) .*\?module=http(?:s)?:.*
		^<HOST> .*"(?:GET|HEAD|POST) .*\?write.phpdir=http(?:s)?:.*
		^<HOST> .*"(?:GET|HEAD|POST) .*\?src=http(?:s)?:.*
		^<HOST> .*"(?:GET|HEAD|POST) .*ivrrecording.php.*"
		^<HOST> .*"(?:GET|HEAD|POST) .*\?php=info&ip=uname.*"
		^<HOST> .*"(?:GET|HEAD|POST) .*\?input_file=http(?:s)?://.*
		^<HOST> .*"(?:GET|HEAD|POST) .*\?dir=http(?:s)?://.*
		^<HOST> .*"(?:GET|HEAD|POST) .*\?f=http(?:s)?://.*
		^<HOST> .*"(?:GET|HEAD|POST) .*([\+-]{5,})Result.*"
		^<HOST> .*"(?:GET|HEAD|POST) .*onmousedown=%%22
		^<HOST> .*"(?:GET|HEAD|POST) .*/bin/msgimport.*"
		^<HOST> .* " " [2-5]
		^<HOST> .*"(?:GET|HEAD|POST) .*//filemanager/.*"
		^<HOST> .*"(?:GET|HEAD|POST) .*//php[Mm]y[Aa]dmin.*"
		^<HOST> .*"(?:GET|HEAD|POST) .*///wp-content/themes/.*"
		^<HOST> .*"(?:GET|HEAD|POST) .*\?[^"]+union(?:%%20|\+)select.*
		^<HOST> .*"(?:GET|HEAD|POST) .*\?[[^"]+\+(?:and|or)\+(?:1|%%2[27][xy]%%2[27])%%3D(?:1|%%2[27][xy]%%2[27]).*
		^<HOST> .*"(?:GET|HEAD|POST) .*\?[^"]+\?\?\?
		^<HOST> .*"(?:GET|HEAD|POST) .*%%5BPLM=.*
		^<HOST> .*"(?:GET|HEAD|POST) /config/[^\.]+\.php\?[^"]+&sid=[a-z0-9]+
		^<HOST> .*\?.*(?:\.\./|%%2E%%2E%%2F){3,}.*%%00
                ^<HOST> .*"\\x16\\x03\\x01"
		^<HOST> .*"PROPFIND /[^%%/"]%%24
		^<HOST> .*"(?:GET|HEAD|POST) /manager/status [^"]*" 404
		^<HOST> .*"(?:GET|HEAD|POST) [^"]*allow_url_include%%3d1.*
		^<HOST> .*"(?:GET|HEAD|POST) .*php://.*
		^<HOST> .*"CONNECT
		^<HOST> .*"POST "
		^<HOST> .*"(?:GET|POST) /[^"]+\.php.*174\.123\.231\.2(?:29|30)
		^<HOST> .*"(?:GET|HEAD|POST)[^"]+" 402

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =