Re: [Fail2ban-users] possible to create jails from HHTP statuscodes

Tue, 20 Apr 2021 14:47:53 -0700 



On 4/17/2021 8:03 AM, Lentes, Bernd wrote:

Hi,

if you have a webserver running on port 80 or 443 you see a lot of people 
trying to find applications, php-frontends or stuff like that with default 
passwords or known vulnerabilities.
Most of them get status codes like 401, 403 or 404.
Is there a way to create jails when someone gets some of these codes in a 
certain time ?

Thanks.


Bernd



_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users




I myself briefly considered the idea of banning on the basis of http 
status codes, but quickly realized it would have the problem that Peter 
Heirich describes.



However, I also dislike the idea of using mod security (which I do run) 
because it also has some of the same problems as the http codes.



After studying the logs a bit, I found that most of the attempted 
exploits are easily recognized and, in fact, most of them involve a 
dependence on presence of various subdirectories on the server.  The 
filters are very easy to write.  I am currently using the following 
filter against apache access logs:



[Definition]
ignoreregex =
datepattern = ^[^\[]*\[({DATE})

failregex = ^<HOST> \|[^"]*"GET /.*HelloThink
             ^<HOST> \|[^"]*"GET 
/(solr|vendor|console|debug|remote|_profiler|Autodiscover|wp-content|_ignition)/



NOTE: The first "|" in each regex line is dependent on the fact that my 
access logs use that character as a field separator.



The exploits that depend on a subdirectory are caught by the long "OR" 
expression on the second filter line.  (The list of the names in the OR 
expression keeps growing.)



This approach has the advantage that it targets the precise group that 
is attempting to take over my machine, because it recognizes the 
patterns of known attempts.  Of course, none of the exploits will 
actually work on my Linux server, but they do spam several logs.  More 
importantly, the same actors could potentially in the future find a way 
to penetrate my system due to a new exploit that hasn't yet been 
patched.  But jailing them on one of these failed attempts can 
conceivably save me.


Phil


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users






















					Reply via email to