服务器 Gind.cn
  1. 服务器 Gind.cn
  3. fail2ban apache-noscript不工作
Intereting Posts
Apache:将POST参数添加到每个请求 Linux glibc版本2.18及以上 – 漏洞 使用cPanel限制VPS上的特定软件包的数据库大小 我应该selectOpenVZ上的KVM / XEN还是一起使用? WSUSvariables和LanSafe客户端安装 后缀configuration(中继访问) 如果存在,Nginx将提供纯文件,否则将提供/index.php VNC查看器问题 – 显示黑屏 多个RAIDconfiguration? VirtualHost / .htaccess – 从.comredirect到.se / en不工作/忽略(Polylang?) Apache 2.2 – > 2.4升级:权限被拒绝on / 仅当从其他机器调用页面时,Apache的“403 Forbidden”错误消息 pipe理API appengine.apps.authorizedCertificates.patch返回200未知的错误 HaProxy TCP子域名 我怎样才能让NGINX有条件地redirect到HTTPS?

fail2ban apache-noscript不工作

我的debian服务器最近受到攻击,我一直在研究日志,看看我能做些什么来加固它。 我一直在运行fail2ban一段时间,但我注意到,apache-noscript监狱似乎并没有工作。 fail2ban软件包最近已经更新,这个特定的监狱的内容已经改变,但我不知道它曾经工作过。 这是现在的监狱: 

# Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 728 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = apache-common.conf [Definition] # Option: failregex # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$ ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =

它现在指的是apache-common.conf,它看起来像这样: 

 # Generic configuration items (to be used as interpolations) in other # apache filters # # Author: Yaroslav Halchenko # # [INCLUDES] # Load customizations if any available after = apache-common.local [DEFAULT] # Common prefix for [error] apache messages which also would include <HOST> _apache_error_client = \[[^]]+\] \[error\] \[client <HOST>\]

这是我的jail.local: 

 # Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 728 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = apache-common.conf [Definition] # Option: failregex # Notes.: regex to match the password failure messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$ ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = root@serverb3:/etc/fail2ban/filter.d# cat ../jail.local # Fail2Ban configuration file. # # This file was composed for Debian systems from the original one # provided now under /usr/share/doc/fail2ban/examples/jail.conf # for additional examples. # # To avoid merges during upgrades DO NOT MODIFY THIS FILE # and rather provide your changes in /etc/fail2ban/jail.local # # Author: Yaroslav O. Halchenko <[email protected]> # # $Revision$ # # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 62.84.178.107 217.204.106.228 192.168.10.0/24 192.168.0.1 #ignoreip = 127.0.0.1/8 bantime = 600 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = auto # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost # # ACTIONS # # Default banning action (eg iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport # email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail # if you want to revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (eg action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # # Next jails corresponds to the standard configuration in Fail2ban 0.6 which # was shipped in Debian. Enable any defined here jail by including # # [SECTION_NAME] # enabled = true # # in /etc/fail2ban/jail.local. # # Optionally you may override any other parameter (eg banaction, # action, port, logpath, etc) in that section within jail.local [ssh] enabled = true port = 666 filter = sshd logpath = /var/log/auth.log [dropbear] enabled = false port = ssh filter = sshd logpath = /var/log/dropbear maxretry = 6 # Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic] enabled = true # pam-generic filter can be customized to monitor specific subset of 'tty's filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log [xinetd-fail] enabled = true filter = xinetd-fail port = all banaction = iptables-multiport-log logpath = /var/log/daemon.log maxretry = 2 [ssh-ddos] enabled = true port = 666 filter = sshd-ddos logpath = /var/log/auth.log # # HTTP servers # [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log # default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases [apache-multiport] enabled = false port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-noscript] enabled = true port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 0 bantime = 2419200 [apache-overflows] enabled = true port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2 [apache-nohome] enabled = true port = http,https filter = apache-nohome logpath = /var/log/apache*/*error.log findtime = 600 [apache-404] enabled = true port = http,https filter = apache-404 logpath = /var/log/apache*/*access.log findtime = 600 maxretry = 5 bantime = 86400 [apache-400] enabled = true port = http,https filter = apache-400 logpath = /var/log/apache*/*.log maxretry = 0 bantime = 2419200 [web-admin] enabled = true port = http,https filter = web-admin logpath = /var/log/auth.log [apache-w00t] enabled = true port = http,https filter = apache-w00t logpath = /var/log/apache*/*access.log maxretry = 0 bantime = 2419200 [apache-vtigercrm] enabled = true port = http,https filter = apache-vtigercrm logpath = /var/log/apache*/*access.log maxretry = 0 bantime = 2419200 [apache-vicidial] enabled = true port = http,https filter = apache-vicidial logpath = /var/log/apache*/*access.log maxretry = 0 bantime = 2419200 [apache-phpmyadmin] enabled = true port = http,https filter = apache-phpmyadmin logpath = /var/log/apache*/*access.log maxretry = 0 bantime = 2419200 # # FTP servers # [vsftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = /var/log/vsftpd.log # or overwrite it in jails.local to be # logpath = /var/log/auth.log # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats maxretry = 6 [proftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data filter = proftpd logpath = /var/log/proftpd/proftpd.log [pure-ftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = pure-ftpd logpath = /var/log/auth.log maxretry = 6 [wuftpd] enabled = false port = ftp,ftp-data,ftps,ftps-data filter = wuftpd logpath = /var/log/auth.log maxretry = 6 # # Mail servers # [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log maxretry = 5 bantime = 86400 [couriersmtp] enabled = false port = smtp,ssmtp filter = couriersmtp logpath = /var/log/mail.log [roundcube] enabled = true port = http,https filter = roundcube logpath = /home/web/roundcube*/logs/errors findtime = 600 # # Mail servers authenticators: might be used for smtp,ftp,imap servers, so # all relevant ports get banned # [courierauth] enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = courierlogin logpath = /var/log/mail.log [sasl] enabled = false port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl maxretry = 6 # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = /var/log/mail.log [dovecot] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log findtime = 600 # DNS Servers # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; # # in your named.conf to provide proper logging # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. #[named-refused-udp] # #enabled = false #port = domain,953 #protocol = udp #filter = named-refused #logpath = /var/log/named/security.log [named-refused-tcp] enabled = false port = domain,953 protocol = tcp filter = named-refused logpath = /var/log/named/security.log

所有其他的监狱正在尽我所能地工作。

如果我运行fail2ban-regex "/var/log/apache2/error.log" /etc/fail2ban/filter.d/apache-noscript.conf它会得到两个命中。 它发现的IP地址之一被禁止,因为它也触发了另一个监狱,但另一个IP地址并没有被禁止(即grep fail2ban日志“noscript”没有得到命中,没有在“iptables -L -n”) 。 以下是来自apache error.log的相关条目:

[Wed Nov 13 02:11:06 2013] [error] [client 91.226.212.41] script'/home/web/remote.php'not found or unable to stat

[Fri Nov 15 00:20:34 2013] [error] [client 85.114.135.126] script'/home/web/wp-login.php'找不到或无法统计

在我看来,这两个条目应该引发了监狱。 任何想法,为什么他们没有?

TIA。

我知道这是一个古老的线程,但仍然在这个话题的谷歌search之上。 升级Debian到Stretch(和这样的Apache到2.4.25)后,我遇到了一个非常类似的问题,

Fail2Ban工作正常,但一些Apache相关的监狱不符合其filter的正则expression式模式。 经过几个小时的反复试验,我发现fail2ban使用标签来标识远程主机,但是它只replace了IP地址/主机名,并且由于在主机IP之后添加了端口来创build更新的Apache日志,将不匹配。

所以fail2ban的apache-noscript.conf中的原始正则expression式行: 

 [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat*$

与错误日志中的相应行不匹配,如: 

 [client 213.97.42.29:50067] script '/home/www/vhost/webroot/wp-login.php' not found or unable to stat

在可选:端口模式添加到正则expression式后,它的工作就像魅力。

请注意,标记在可选的端口号正则expression式模式之前,因此必须在以下之间添加[字符,如下所示: 

 <HOST>(:\d{1,5})?

所以在修改之后,同样的行看起来像这样: 

 [[]client <HOST>(:\d{1,5})?[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat*$

我希望这将有助于未来的人。

我也注意到apache-noscript.conf无法捕获像script not found or unable to stat: /usr/lib/cgi-bin/php及其变种/var/log/apache2/error.log在我的debian wheezy笔记本电脑 

 [Fri Dec 20 20:09:34 2013] [error] [client 89.248.160.192] script not found or unable to stat: /usr/lib/cgi-bin/php [Fri Dec 20 20:09:34 2013] [error] [client 89.248.160.192] script not found or unable to stat: /usr/lib/cgi-bin/php4 [Fri Dec 20 20:09:35 2013] [error] [client 89.248.160.192] script not found or unable to stat: /usr/lib/cgi-bin/php5 [Fri Dec 20 20:09:35 2013] [error] [client 89.248.160.192] script not found or unable to stat: /usr/lib/cgi-bin/php-cgi [Fri Dec 20 20:09:36 2013] [error] [client 89.248.160.192] script not found or unable to stat: /usr/lib/cgi-bin/php.cgi

仔细检查了/etc/fail2ban/filter.d/apache-noscript.conf这个filter之后,我意识到在failregexexpression式中缺lessphp及其变种没有一个领先的时期就是过滤失败的原因。

通过如下所示添加\ php | \ php4 | \ php5 | \ php-cgi | \ php.cgi来修改failregexexpression式后, 

 failregex = ^%(_apache_error_client)s (File does not exist|script not found or unable to stat: /\S*(\php|\php4|\php5|\php-cgi|\php.cgi|\.php|\.asp|\.exe|\.pl)\s*$

并通过运行testingfilter 

 fail2ban-regex "/var/log/apache2/error.log" /etc/fail2ban/filter.d/apache-noscript.conf

filter捕获所有script not found or unable to stat: /usr/lib/cgi-bin/php条目及其变体! 问题解决了。 我希望这可以帮助别人。

奇怪的是,我的apache error.log中的以下行昨天触发了监狱: 

 [Tue Nov 26 02:17:58 2013] [error] [client 193.17.208.73] script '/home/web/admin.php' not found or unable to stat

所以我想这是工作。 奇怪。