Fail2ban papildomi filtravimai
Apache
apache webmail phishing jail – regex and filter
Here are the other examples of mail phishing that has happened on our network
[Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/cube [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/round [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcube-0.2 [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcube-0.1 [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcubemail-0.1 [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcubemail-0.2 [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/wm [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/webmail2 [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/rms [Fri Aug 19 10:33:08 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mail2 [Fri Aug 19 10:33:09 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mss2 [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mss [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcubemail [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/rc [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/webmail [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/roundcube [Fri Aug 19 10:33:10 2011] [error] [client 207.171.3.138] File does not exist: /var/www/skraps/mail
Jail
[apache-webmail-phish] enabled = true filter = apache-webmail-phish action = iptables[name=HTTP, port="80,443", protocol=tcp] logpath = /var/log/apache2/error.log maxretry = 0 bantime = 864000 findtime = 3600
Filter
# Fail2Ban configuration file # # Author: Jackie Craig Sparks # # $Revision: 728 $ # [Definition] #Looks for failed password logins to SMTP failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.<HOST>].File does not exist:.{1,40}roundcube.{1,200} ignoreregex =
apache w00t w00t messages jail – regex and filter
Jail
[apache-wootwoot] enabled = true filter = apache-wootwoot action = iptables[name=HTTP, port="80,443", protocol=tcp] logpath = /var/log/apache2/error.log maxretry = 0 bantime = 864000 findtime = 3600
Filter
# Fail2Ban configuration file # # Author: Jackie Craig Sparks # # $Revision: 728 $ # [Definition] #Woot woot messages failregex = ^\[\w{1,3} \w{1,3} \d{1,2} \d{1,2}:\d{1,2}:\d{1,2} \d{1,4}] \[error] \[client 195.140.144.30] File does not exist: \/.{1,20}\/(w00tw00t|wootwoot|WootWoot|WooTWooT).{1,250} ignoreregex =
apache-auth.conf
Modify „apache-auth.conf“ to allow banning on server using digest authentication
Hello, digest authentication is unaccounted for apache using digest instead basic authentication. So just edit the apache-auth.conf file and extend the regex to:
failregex = [[]client <HOST>[]] .* user .* authentication failure [[]client <HOST>[]] .* user .* not found [[]client <HOST>[]] .* user .* password mismatch