Re: [Fail2ban-users] Dumb Question (Was: Scriptkiddie regex - Help Please)

Mon, 21 May 2018 02:06:12 -0700 

Well, with thanks to everyone who helped - I now have this working!...

... or is it?

Dumb Question:
I am using this on a Fedora 27 Server (My previous experience of F2B was when I was still on Fedora 18 when it certainly worked.
My scripkiddies regex is working, and entries are appearing in iptables. But does Fedora 27 even use iptables anymore? I ask this because I did something whilst I was at work (the server in question is my home server) where I accidentally banned myself - except that I wasn't banned! There was an entry in iptables for my work address, but I was still able to access the site.
I think Fedora 27 uses firewalld. Is this different from iptables or does it sit on top of it? 

If not, is it still possible to use F2B to ban using firewalld?
Apologies for the stupid questions. Looking forward to some some help that will stop me scratching my head! 

Many thanks

Mark

On 2018-05-16 21:17, Nick Howitt wrote:

Why not just do something like:
<HOST>.*(pma|admin|mysql)2?\/index\.php

and if you don't have an index.php, just filter for that. Don't make
it too fancy to pick up exact nuances if you have nothing remotely
like it on your server. I have not tested this and it does not have
the lookahead in it so I don't know how well it will work.

With a lookahead, something like:
^(?=[0-9\.]* - .*(pma|admin|mysql)2?\/index\.php )<HOST>

Nick

On 16/05/2018 20:20, Tony Collins wrote:
​I'm just learning how to use regexes, and I created this one to cover all the different flavours of the "Jorgee" script that tries to access your phpmyadmin files.
I didn't base it on HTTP response codes because some of them come up as 200, some as 301/302 depending on exactly what is asked for, and some as 403/404.
As an aside, if anyone has any guidance for how to make this kind of regex better/less awful, I'd be interested - it would help the OP Mark as well. I just noticed Nick saying the filters are case insensitive, which means I've got work to do lol. 


*<HOST>.*(\/)?(_)?(([Mm]y)?[Ss]ql(\/)?)?([Pp][Mm][Aa](\d{3,})?(\/)?|(\d{1,})?(php)?(-)?[Mm]y(sql)?(-)?[Aa]dmin(-)?*
On Wed, 16 May 2018 at 19:04, Denis Rasulev <rankl...@gmail.com <mailto:rankl...@gmail.com>> wrote: 

    Hi,

    I would remove '' in your regex:

    failregex = ^<HOST>.*[a|A]dmin.*40[3|4]

    check how it works here: https://regex101.com/r/m5rBkH/1
    <https://regex101.com/r/m5rBkH/1>

    Bear in mind that on that site <HOST> is represented
    by (\d{1,3}\.){3}\d{3} (lame, I know, but works :))
    You can play / adjust your regex and then replace my ugly IP
    catching construction back to <HOST> in F2B.

    Also, to ban until hell freezes, try bantime = -1.

    Regards,
    Denis



    On Wed, May 16, 2018 at 7:48 PM Arthur Dent
    <arthurdent.lon...@gmail.com <mailto:arthurdent.lon...@gmail.com>>
    wrote:

        Hello All,
I have recently returned to F2B after a long absence, and my Linux 
        skills (and, in particular my F2B regex skills) have faded.

        My web server frequently gets hammered with scripkiddie
        attacks. A very
        typical entry in the httpd/access_log would look like this:
        80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET
        /admin/pma/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0"
        80.13.134.108 - - [16/May/2018:08:19:46 +0100] "GET
        /admin/PMA/index.php HTTP/1.1" 404 217 "-" "Mozilla/5.0"
        80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
        /admin/mysql/index.php HTTP/1.1" 404 219 "-" "Mozilla/5.0"
        80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
        /admin/mysql2/index.php HTTP/1.1" 404 220 "-" "Mozilla/5.0"
        80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
        /pma/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0"
        80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
        /PMA/index.php HTTP/1.1" 404 211 "-" "Mozilla/5.0"
        80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
/admin/phpmyadmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0" 
        80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
/admin/phpMyAdmin/index.php HTTP/1.1" 404 224 "-" "Mozilla/5.0" 
        80.13.134.108 - - [16/May/2018:08:19:47 +0100] "GET
/admin/phpmyadmin2/index.php HTTP/1.1" 404 225 "-" "Mozilla/5.0" 
        (and so on... Usually about 20-30 similar lines)

        In attempting to keep these idiots out of my logs I have have
        tried to use a F2B jail.

        The filter I have created is:

        [Definition]
        failregex = ^<HOST>.*'[a|A]dmin.*40[3|4]'

        Note: I know that not all the entries above contain "admin"
        (and that
        it is a rather crude way of doing this), but all the attacts
        do have
        several lines in them that *do* contain the word admin.

        The jail I have created is:
        [scriptkiddies]
        enabled  = true
        port     = http,https
        filter   = scriptkiddies
action   = iptables[name=Scriptkiddies, port=http, protocol=tcp] 
                   sendmail-whois[name=Scriptkiddies, dest=root,
        sender=fail2...@example.com <mailto:fail2...@example.com>]
        logpath  = /var/log/httpd/access_log
        bantime  = 3600 # Until Hell freezes over if I could
        findtime = 600
        maxretry = 5

        However -
        This does not work. What have I done wrong?

        Any help gratefully accepted.

        Mark
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most 
        engaging tech sites, Slashdot.org! http://sdm.link/slashdot
        _______________________________________________
        Fail2ban-users mailing list
        Fail2ban-users@lists.sourceforge.net
        <mailto:Fail2ban-users@lists.sourceforge.net>
        https://lists.sourceforge.net/lists/listinfo/fail2ban-users
        <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
------------------------------------------------------------------------------ 
    Check out the vibrant tech community on one of the world's most
    engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________ 
    Fail2ban-users mailing list
    Fail2ban-users@lists.sourceforge.net
    <mailto:Fail2ban-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/fail2ban-users
    <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Reply via email to