Aren’t you just tired of the massive amount of PHP Remote Injection attacks registered in your access log? You know, the ones that look like this:
GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm?
Even if you secure your webserver, and set allow_url_fopen = false in php.ini, the attack is still annoying.
Just make sure you save this file to your /etc/fail2ban/filter.d directory, then add this block to jail.conf and restart fail2ban:
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1
And done 🙂
Creo que con tu expresion regular tambien baneas entradas legitimas donde aparezca .php?n=http://****
en el REFERER.
Por ejemplo, las entradas que vienen de google images o de banners:
xxx.xxx.xxx.xxx – – [20/Jul/2009:06:13:02 +0200] «GET /xxx/index.html HTTP/1.1» 200 9398 «http://images.google.es/imgres?imgurl=http://www.xxxx.com/xy/imagenes/img.jpg&imgrefurl=http://www.xxxx.com/xy/index.htnl&usg=__pCH0q6sy06ssIsB4zJu_YYsqNZE=&h=163&w=227&sz=44&hl=es&start=2&um=1&tbnid=hjOK7M4WBtfFHM:&tbnh=78&tbnw=108&prev=/images%3Fq%3Dpunto%2Boro%26hl%3Des%26client%3Dfirefox-a%26rls%3Dorg.mozilla:es-ES:official%26sa%3DG%26um%3D1» «Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)»
Pingback: Ted Roche’s weblog » Adding Fail2Ban to the web site
I’m on ubuntu 8.04 and don’t have any log files in var/www/ folder. What should I replace it with?
Nice feature, thank you. However, one need to activate the «action» part or fail2ban won’t start.
Apache-logs on red hat based system lay at /var/log/httpd/access_log
[php-url-fopen]
enabled = true
#port = http,https
filter = php-url-fopen
logpath = /var/log/httpd/access_log
maxretry = 1
action = iptables-multiport[name=PHP-fopen, port=»http,https», protocol=tcp]
I love this feature, can some help me with the ignore regex for the following log entries
xxx.xxx.xxx.xxx – – [10/Jun/2011:15:20:39 +0200] «GET /forums/cron.php?rand=1307712039 HTTP/1.1» 200 352 «http://domain.net/forums/externalredirect.php?url=http://foo.com» «Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1»
Pingback: Xulen | Julián Fernández | blog