I have a hobby box with Joomla 1.5 installed, and am testing
[fail2ban][1]'s capabilities to thwart attacks against this vulnerable CMS.
The server is running CentOS 6x and Apache 2 web server. SELinux is in
permissive mode.
I am currently experiencing an attack against an outdated google maps
plugin. In my server's access log there are tens of thousands of HEAD
requests against `plugin_googlemap2_proxy.php`.
I removed file `plugin_googlemap2_proxy.php`, but continue to see HEAD
requests attempting to access the file.
-------------------------------------------------------------------------------------
23.23.23.23 - - [25/Nov/2014:08:14:40 -0500] "HEAD
/plugins/content/plugin_googlemap2_proxy.php?url=dontclickhere.com
HTTP/1.1" 403 - "-" "Mozilla/5.0"
23.23.23.23 - - [25/Nov/2014:08:14:40 -0500] "HEAD
/plugins/content/plugin_googlemap2_proxy.php?url=avoidthislink.com
HTTP/1.1" 403 - "-" "Mozilla/5.0"
23.23.23.23 - - [25/Nov/2014:08:14:40 -0500] "HEAD
/plugins/content/plugin_googlemap2_proxy.php?url=dontclickhere.com
HTTP/1.1" 403 - "-" "Mozilla/5.0"
23.23.23.23 - - [25/Nov/2014:08:14:40 -0500] "HEAD
/plugins/content/plugin_googlemap2_proxy.php?url=avoidthislink.com
HTTP/1.1" 403 - "-" "Mozilla/5.0"
23.23.23.23 - - [25/Nov/2014:08:14:40 -0500] "HEAD
/plugins/content/plugin_googlemap2_proxy.php?url=dontclickhere.com
HTTP/1.1" 403 - "-" "Mozilla/5.0"
23.23.23.23 - - [25/Nov/2014:08:14:40 -0500] "HEAD
/plugins/content/plugin_googlemap2_proxy.php?url=avoidthislink.com
HTTP/1.1" 403 - "-" "Mozilla/5.0"
... and so on
-------------------------------------------------------------------------------------
I could manually drop the attacker's IP address in `iptables` or `routes`,
but I am trying to find out why `fail2ban` isn't handling this for me. IP
address 23.23.23.23 is not whitelisted.
I have two filters set up:
-------------------------------------------------------------------------------------
/etc/fail2ban/filter.d/http-head-dos.conf
[Definition]
failregex = ^<HOST> -.*HEAD*
ignoreregex =
and
/etc/fail2ban/filter.d/http-googlemap2-dos.conf
[Definition]
failregex = ^<HOST> -.*plugin_googlemap2_proxy.php*
ignoreregex =
-------------------------------------------------------------------------------------
Here are the relevant sections of `jail.conf`:
-------------------------------------------------------------------------------------
[http-head-dos]
enabled = true
port = http,https
filter = http-head-dos
logpath = /var/log/httpd/*_access_log
maxretry = 5
findtime = 100
bantime = 3000
action = iptables[name=HTTP, port=http, protocol=tcp]
[http-googlemap2-dos]
enabled = true
port = http,https
filter = http-googlemap2-dos
logpath = /var/log/httpd/*_access_log
maxretry = 1
findtime = 10
bantime = 3000
action = iptables[name=HTTP, port=http, protocol=tcp]
-------------------------------------------------------------------------------------
`logpath` is correct, and `fail2ban` has been restarted. Additionally, I
get matches when I apply the filter against the log file with
`fail2ban-regex`
-------------------------------------------------------------------------------------
fail2ban-regex /var/log/httpd/joomla15_access_log "^<HOST>
-.*plugin_googlemap2_proxy.php*"
Running tests
=============
Use failregex line : ^<HOST> -.*plugin_googlemap2_proxy.php*
Use log file : /var/log/httpd/joomla15_access_log
Results
=======
Failregex: 1389799 total
|- #) [# of hits] regular expression
| 1) [1389799] ^<HOST> -.*plugin_googlemap2_proxy.php*
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [1422754] Day/MONTH/Year:Hour:Minute:Second
`-
Lines: 1422754 lines, 0 ignored, 1389799 matched, 32955 missed
Missed line(s): too many to print. Use --print-all-missed to print all
32955 lines
-------------------------------------------------------------------------------------
Finally, here is `fail2ban-client -d`
-------------------------------------------------------------------------------------
# fail2ban-client -d | grep googlemap2
['add', 'http-googlemap2-dos', 'auto']
['set', 'http-googlemap2-dos', 'usedns', 'warn']
['set', 'http-googlemap2-dos', 'addlogpath',
'/var/log/httpd/joomla15_access_log']
['set', 'http-googlemap2-dos', 'maxretry', 5]
['set', 'http-googlemap2-dos', 'findtime', 100]
['set', 'http-googlemap2-dos', 'bantime', 3000]
['set', 'http-googlemap2-dos', 'addfailregex', '^<HOST>
-.*plugin_googlemap2_proxy.php*']
['set', 'http-googlemap2-dos', 'addaction', 'iptables']
['set', 'http-googlemap2-dos', 'actionban', 'iptables', 'iptables -I
fail2ban-<name> 1 -s <ip> -j <blocktype>']
['set', 'http-googlemap2-dos', 'actionstop', 'iptables', 'iptables -D
<chain> -p <protocol> --dport <port> -j fail2ban-<name>\niptables -F
fail2ban-<name>\niptables -X fail2ban-<name>']
['set', 'http-googlemap2-dos', 'actionstart', 'iptables', 'iptables -N
fail2ban-<name>\niptables -A fail2ban-<name> -j RETURN\niptables -I <chain>
-p <protocol> --dport <port> -j fail2ban-<name>']
['set', 'http-googlemap2-dos', 'actionunban', 'iptables', 'iptables -D
fail2ban-<name> -s <ip> -j <blocktype>']
['set', 'http-googlemap2-dos', 'actioncheck', 'iptables', "iptables -n
-L <chain> | grep -q 'fail2ban-<name>[ \\t]'"]
['set', 'http-googlemap2-dos', 'setcinfo', 'iptables', 'blocktype',
'REJECT --reject-with icmp-port-unreachable']
['set', 'http-googlemap2-dos', 'setcinfo', 'iptables', 'protocol',
'tcp']
['set', 'http-googlemap2-dos', 'setcinfo', 'iptables', 'name', 'HTTP']
['set', 'http-googlemap2-dos', 'setcinfo', 'iptables', 'chain', 'INPUT']
['set', 'http-googlemap2-dos', 'setcinfo', 'iptables', 'port', 'http']
-------------------------------------------------------------------------------------
PS: I am able to reproduce the attack from my laptop using
`ab -i -n 1000 -c 1000
http://example.com/plugins/content/plugin_googlemap2_proxy.php?url=dontclickhere.com`
- and I am not being banned (my laptop IP is not whitelisted in fail2ban).
Why is `fail2ban` not dropping IP 23.23.23.23 (or me, when I reproduce
attack just above)?
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
