view common/fail2ban/ibb-apache-exploits-access.conf @ 6:b7c30595c97a

Add "Shellshock" exploit Fail2ban rule
author IBBoard <dev@ibboard.co.uk>
date Sun, 28 Sep 2014 08:03:46 +0000
parents 956e484adc12
children
line wrap: on
line source

# Fail2Ban configuration file
#
# Author: IBBoard

[Definition]
maxretry = 2

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = 	^<HOST> .*"(?:GET|HEAD|POST) .*/(?:scripts/setup\.php|newticket|phpMyAdmin-\d\.\d\.\d|(?:(?:php)?[Mm]y[Aa]dmin[0-9]?)|[Pp][Mm][Aa]|sql(?:admin|web|manager)?|roundcube|typo3|dbadmin)[^"]*" 40[024]
		^<HOST> .*"(?:GET|HEAD|POST) .*\.php/[^/"]+\.php
		^<HOST> .*"(?:GET|HEAD|POST) [^\?]+\?[^\?]+=http://[^&]+(?:(?:shell|bot).php|\?\?).*"
		^<HOST> .*"(?:GET|HEAD|POST) .*//wp-content/.*"
		^<HOST> .*"(?:GET|HEAD|POST) .*/wp-content/uploads/200[789]/.*"
		^<HOST> .*"(?:GET|HEAD|POST) /projects/[^/]+/[^"]+/newticket\ HTTP
		^<HOST> .*"(?:GET|HEAD|POST) .*/wp-content/plugins/[^"]*" 40[0-4]
		^<HOST> .*"(?:GET|HEAD|POST) [^"]*README[^"]*" 40[0-4]

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =	^[^ ]+ - [^-]+
		/phpmyadmin/favicon.ico