服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 如何为phpmyadmin攻击创buildfail2banfilter
Intereting Posts
从文件共享SQL Server批量导入。 我怎样才能让SQL Server查看共享? mysql日志查询特定用户 从源b / c通过apt安装puppet Ubuntu版本是旧的 如何从一个IP地址运行两台服务器? 在su期间,“不能将terminal进程组”设置为loginshell 从WDS移到MDT + WDS – 预留计算机名称 在不重新启动机器的情况下尝试更新libc6是否可行? vsphere 5 – 什么是分区本地磁盘的最佳方式? 使用来自.com.to .com.au的Alogging进行redirect 有没有简单的方法来设置所有域控制器的Active Directory约束委派 “离开办公室”消息仅用作客户端规则 EC2上的SQL Server:任何指针或build议? 定义了一个新的variables,用引号打破 如何使用SQL Management Studio更改备份作业的日程安排 如何将stdout输出到进程和shell屏幕

如何为phpmyadmin攻击创buildfail2banfilter

我想弄清楚如何为fail2ban创build一个failregexfilter,以防止下面的攻击。 我尝试了以下failregexexpression式,但它们不匹配/ var / log / https / error_log中的任何内容 

failregex = ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*pma* *\s*$

要么 

 failregex = ^[[^\]]+\] \[error\] \[client <HOST>\] File does not exist: *phpyadmin* *\s*$

这是我正在尝试创build规则的探针 

 [Sat Aug 05 15:42:46 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/phpmyadmin2015 [Sat Aug 05 15:42:46 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/phpmyadmin2016 [Sat Aug 05 15:42:47 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/phpmyadmin2017 [Sat Aug 05 15:42:48 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/PMA2014 [Sat Aug 05 15:42:49 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/PMA2015 [Sat Aug 05 15:42:49 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/PMA2016 [Sat Aug 05 15:42:49 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/PMA2017 [Sat Aug 05 15:42:50 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/PMA2018 [Sat Aug 05 15:42:52 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/pma2015 [Sat Aug 05 15:42:52 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/pma2016 [Sat Aug 05 15:42:52 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/pma2017 [Sat Aug 05 15:42:53 2017] [error] [client 109.188.133.141] File does not exist: /var/www/vhosts/default/htdocs/pma2018

正则expression式不能正确识别正在创build日志的格式。 任何帮助将不胜感激。 我只需要一个通配符规则来扫描a)文件不存在,b)该错误行上的任何以下stringpma *,php *

感谢上面的build议,但经过无数尝试,这里是expression式的工作。 

 [Definition] ignoreregex = failregex = \[client <HOST>\] File does not exist:.*(?i)MyAdmin.* \[client <HOST>\] File does not exist:.*(?i)mysqlmanager.* \[client <HOST>\] File does not exist:.*(?i)PMA.* \[client <HOST>\] File does not exist:.*(?i)pma.* \[client <HOST>\] File does not exist:.*(?i)php-my-admin.* \[client <HOST>\] File does not exist:.*(?i)myadmin.* \[client <HOST>\] File does not exist:.*(?i)administrator.* \[client <HOST>\] File does not exist:.*(?i)xmlrpc.* \[client <HOST>\] File does not exist:.*(?i)testproxy.* \[client <HOST>\] File does not exist:.*(?i)phpMyAdmin.* \[client <HOST>\] File does not exist:.*(?i)db.* \[client <HOST>\] File does not exist:.*(?i)sql.*

如果有人有权利使用这些规则来阻止攻击。 我的服务器保持在100%cpu使用情况下运行的Apache进程。

我能看到的最明显的错误就是在这里 – 

 pma* *\s*$

这是匹配pm ,接着零或更多。 然后在零次或零次以上匹配一个空格,接着是\s (空格或制表符)零次或多次。

所以基本上它必须以pma结尾,接着是零个或多个空格。 与其他正则expression式一样。

你应该尝试像pma.*\s* (假设你需要考虑行尾的可能空格)。

编辑 – 完整的expression应该是像下面的东西,虽然显然我不能真的testing它。 

 \[client <HOST>\] File does not exist: .+pma