[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] iptables and hackers

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] iptables and hackers
From: Dave Morgan <morgadave@xxxxxxxxxxxxxx>
Date: Tue, 30 Aug 2011 21:19:38 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=E55xlX8GCRy4ZmjULVzH+ZXLdtd5QB8LF27vHgZbCJI=; b=J2aOb1wc028n5FwNMxVrvn+HIrr3HGI29tmXsTRl/ke/gW5Lt1Cvn/Ld87EzEX3J7o Uyay4umvKGZxksa0tydgVi5sHMFw01QSq+m7EqIIyDQwOu4QEmxEANuULvRlBGEYG7f/ JAeFNxal6xHQuwqnqLGV6HTa8pfTa01jLbIyY=

taylorjoshu00@xxxxxxxxxxxxxx wrote:
> I'm sure you can set fail2ban to look for errors in the apache log, would that 
> help? 
> 
> ------Original Message------
> From: Dan Dart
> Sender: list-bounces@xxxxxxxxxxxxx
> To: list@xxxxxxxxxxxxx
> ReplyTo: list@xxxxxxxxxxxxx
> Subject: Re: [LUG] iptables and hackers
> Sent: 30 Aug 2011 19:56
> 
> Fail2ban by default works on SSHD and does a good job at it.
> Maybe there's a script/IDS0 somewhere that says... Too many 404/500s
> for dodgy URLs? Block!"
> 

I have my Fail2ban on a hair-trigger :-)
(watch out for re-wrapped text in the following)

/etc/fail2ban/jail.local
[DEFAULT]
destemail = fit@localhost
action = %(action_mwl)s

[apache-noscript]

enabled = true
maxretry = 1

/etc/fail2ban/filter.d/apache-noscript.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 658 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag
"<HOST>" can
#          be used for standard IP/hostname matching and is only an
alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = [[]client <HOST>[]] (File does not exist|script not found or
unable to stat):
.*/(cgi-bin|admin|Admin|sql|mail|phpmyadmin|file:|php|pma|web|PMA|PMA2006\
|pma2006|sqlmanager|mysqlmanager|PMA2005|phpmyadmin-old|phpmyadminold|pma2005\
|phpmanager|mysql|myadmin|webadmin|sqlweb|websql|webdb|mysqladmin|mysql-admin\
|phpmyadmin2|phpMyAdmin2|phpMyAdmin-2|php-my-admin|cms|clan|site|seite|page|forum\
|wbb2|board|wbb|archive|forumv2|forumv1|b0ard|f0rum|wbb1|wbb3|wbblite|directforum\
|board23|board2|board3|WBB|WBB2|html|phpkit|page|phpkit_1.6.1|clan|myadmin|webadmin\
|sqlweb|websql|webdb|mysqladmin|mysql-admin|phpmyadmin2|php-my-admin|phpMyAdmin-2.2.3\
|phpMyAdmin-2.2.6|phpMyAdmin-2.5.1|phpMyAdmin-2.5.4|phpMyAdmin-2.5.6|phpMyAdmin-2.6.0\
|phpMyAdmin-2.6.0-pl1|phpMyAdmin-2.6.2-rc1|phpMyAdmin-2.6.3|phpMyAdmin-2.6.3-pl1\
|phpMyAdmin-2.6.3-rc1|padmin|datenbank|database|horde|horde2|horde3|horde-3.0.9|Horde\
|README|horde-3.0.9|adserver|phpAdsNew|phpadsnew|phpads|Ads|ads|xmlrpc|xmlsrv|blog|drupal\
|community|blogs|blogtest|appserver|roundcube|rc|mail|mail2|roundcubemail|rms|webmail2\
|webmail|wm|bin|roundcubemail-0.1|roundcubemail-0.2|roundcube-0.1|roundcube-0.2|roun\
|cube|wp-login.php|ucp.php|main.php|thisdoesnotexistahaha.php|\.asp|\.dll|\.exe|\.pl)

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

best regards
Dave

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] iptables and hackers
- From: Kevin Lucas
Follow-up: Re: [LUG] iptables and hackers
- From: Anthony Williams

References:
- Re: [LUG] iptables and hackers
  - From: taylorjoshu00

Prev by Date: Re: [LUG] iptables and hackers
Next by Date: Re: [LUG] iptables and hackers
Previous by thread: Re: [LUG] iptables and hackers
Next by thread: Re: [LUG] iptables and hackers
Index(es):
- Date
- Thread