Fail2ban filter for PHP Injection attacks

Publicado el 1/abril/2009 por Buanzo

Aren’t you just tired of the massive amount of PHP Remote Injection attacks registered in your access log? You know, the ones that look like this:

GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm?

Even if you secure your webserver, and set allow_url_fopen = false in php.ini, the attack is still annoying.

Just make sure you save this file to your /etc/fail2ban/filter.d directory, then add this block to jail.conf and restart fail2ban:

[php-url-fopen]

enabled = true
port    = http,https
filter  = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1

And done 🙂

Readers who viewed this page, also viewed:

Acerca de Buanzo

Io que se!
Esta entrada fue publicada en General. Guarda el enlace permanente.

6 respuestas a Fail2ban filter for PHP Injection attacks

  1. fasuto dijo:
    22/julio/2009 a las 5:54

    Creo que con tu expresion regular tambien baneas entradas legitimas donde aparezca .php?n=http://****
    en el REFERER.
    Por ejemplo, las entradas que vienen de google images o de banners:

    xxx.xxx.xxx.xxx – – [20/Jul/2009:06:13:02 +0200] «GET /xxx/index.html HTTP/1.1» 200 9398 «http://images.google.es/imgres?imgurl=http://www.xxxx.com/xy/imagenes/img.jpg&imgrefurl=http://www.xxxx.com/xy/index.htnl&usg=__pCH0q6sy06ssIsB4zJu_YYsqNZE=&h=163&w=227&sz=44&hl=es&start=2&um=1&tbnid=hjOK7M4WBtfFHM:&tbnh=78&tbnw=108&prev=/images%3Fq%3Dpunto%2Boro%26hl%3Des%26client%3Dfirefox-a%26rls%3Dorg.mozilla:es-ES:official%26sa%3DG%26um%3D1» «Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)»

  2. Pingback: Ted Roche’s weblog » Adding Fail2Ban to the web site

  3. watt dijo:
    12/abril/2010 a las 23:19

    I’m on ubuntu 8.04 and don’t have any log files in var/www/ folder. What should I replace it with?

  4. sagichnich dijo:
    27/febrero/2011 a las 0:59

    Nice feature, thank you. However, one need to activate the «action» part or fail2ban won’t start.

    Apache-logs on red hat based system lay at /var/log/httpd/access_log

    [php-url-fopen]

    enabled = true
    #port = http,https
    filter = php-url-fopen
    logpath = /var/log/httpd/access_log
    maxretry = 1
    action = iptables-multiport[name=PHP-fopen, port=»http,https», protocol=tcp]

  5. Bharath dijo:
    15/junio/2011 a las 0:48

    I love this feature, can some help me with the ignore regex for the following log entries

    xxx.xxx.xxx.xxx – – [10/Jun/2011:15:20:39 +0200] «GET /forums/cron.php?rand=1307712039 HTTP/1.1» 200 352 «http://domain.net/forums/externalredirect.php?url=http://foo.com» «Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1»

  6. Pingback: Xulen | Julián Fernández | blog

Los comentarios están cerrados.