On 28/06/2021 02:27, Robert Kudyba wrote:
from /etc/fail2ban/filter.d/apache-nohome.conf (note the awkward English
in the description)
# Fail2Ban filter to web requests for home directories on Apache servers
# Regex to match failures to find a home directory on a server, which
# became popular last days. Most often attacker just uses IP instead of
# domain name -- so expect to see them in generic error.log if you have
# per-domain log files.
failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist:
.*/~.*
from /etc/fail2ban/filter.d/apache-noscript.conf
# Fail2Ban filter to block web requests for scripts (on non scripted
websites)
#
# This matches many types of scripts that don't exist. This could generate a
# lot of false positive matches in cases like wikis and forums where users
# no affiliated with the website can insert links to missing
files/scripts into
# pages and cause non-malicious browsers of the site to trigger against this
# filter.
# If you'd like to match specific URLs that don't exist see the
# apache-botsearch filter.
script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/)
prefregex = ^%(_apache_error_client)s
(?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot)
)<F-CONTENT>.+</F-CONTENT>$
failregex = ^(?:does not exist|not found or unable to stat): <script>\b
^'<script>\S*' not found or unable to stat
^error '[Pp]rimary script unknown(?:\\n)?'
# DEV Notes:
# https://wiki.apache.org/httpd/ListOfErrors
<https://wiki.apache.org/httpd/ListOfErrors> for apache error IDs
#
# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or
unable to stat\s*$ is in httpd-2.2
So both jails are being triggered from logs like the following as
students are testing web pages and scripts. Super annoying as then the
recidive jail kicks in if this happens multiple times in a day.
[Sun Jun 27 16:58:32.343853 2021] [core:info] [pid 848366:tid 848413]
[client xx.xx.xx.xx:55135] AH00130: File does not exist:
/home/ourusers/user1/public_html/cgi-bin/html.txt/symbols1207036.txt,
referer: https://ourdomain.edu/~user1/index.htmlLAB6
<https://ourdomain.edu/~user1/index.htmlLAB6>
/var/log/httpd/error_log-20210627:[Fri Jun 25 20:53:54.993410 2021]
[core:info] [pid 1323104:tid 1323286] [client xx.xx.xx.xx:59706]
AH00128: File does not exist:
/home/ourusers/user2/public_html/cgi-bin/exchanges214609.txt, referer:
https://oudomain.edu/~user2/index.htmlLAB6
<https://oudomain.edu/~user2/index.htmlLAB6>
/var/log/httpd/error_log-20210627:[Thu Jun 24 21:56:37.719781 2021]
[core:info] [pid 1323103:tid 1323303] [client xx.xx.xx.xx:50676]
AH00128: File does not exist:
/home/ourusers/user3/public_html/cgi-bin/exchanges3875252.txt, referer:
https://ourdomain.edu/~user3/index.htmlLAB06
<https://ourdomain.edu/~user3/index.htmlLAB06>
Are these jails meant to be kept separate? Or does anyone know if one is
deprecated over the other?
You don't have to have the jails enabled!
Also have you considered whitelisting your LAN?
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
