|

Fail2ban papildomi filtravimai

Apache

apache webmail phishing jail – regex and filter

Here are the other examples of mail phishing that has happened on our network

   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/cube
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/round
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcube-0.2
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcube-0.1
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcubemail-0.1
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcubemail-0.2
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/wm
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/webmail2
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/rms
   [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mail2
   [Fri Aug 19 10:33:09 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mss2
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mss
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcubemail
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/rc
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/webmail
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcube
   [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mail

 

Jail

[apache-webmail-phish]
enabled  = true
filter   = apache-webmail-phish
action   = iptables[name=HTTP, port="80,443", protocol=tcp]
logpath  = /var/log/apache2/error.log
maxretry = 0
bantime  = 864000
findtime = 3600

Filter

# Fail2Ban configuration file
#
# Author: Jackie Craig Sparks
#
# $Revision: 728 $
#
[Definition]
#Looks for failed password logins to SMTP
failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.<HOST>].File does not exist:.{1,40}roundcube.{1,200}
ignoreregex =

 

apache w00t w00t messages jail – regex and filter

Jail

    [apache-wootwoot]
    enabled  = true
    filter   = apache-wootwoot
    action   = iptables[name=HTTP, port="80,443", protocol=tcp]
    logpath  = /var/log/apache2/error.log
    maxretry = 0
    bantime  = 864000
    findtime = 3600

Filter

    # Fail2Ban configuration file
    #
    # Author: Jackie Craig Sparks
    #
    # $Revision: 728 $
    #
    [Definition]
    #Woot woot messages
    failregex = ^\[\w{1,3} \w{1,3} \d{1,2} \d{1,2}:\d{1,2}:\d{1,2} \d{1,4}] \[error] \[client 195.140.144.30] File does not exist: \/.{1,20}\/(w00tw00t|wootwoot|WootWoot|WooTWooT).{1,250}
    ignoreregex =

 

apache-auth.conf

Modify „apache-auth.conf“ to allow banning on server using digest authentication

Hello, digest authentication is unaccounted for apache using digest instead basic authentication. So just edit the apache-auth.conf file and extend the regex to:

 failregex = [[]client <HOST>[]] .* user .* authentication failure
             [[]client <HOST>[]] .* user .* not found
             [[]client <HOST>[]] .* user .* password mismatch
Kviečiu įvertinti įrašą!
[Viso: 0 Vidurkis: 0]

Similar Posts

Parašykite komentarą

El. pašto adresas nebus skelbiamas.

Sauga: − 3 = 5