I am using php. That's why I thought to filter on '/php', because that's different from '.php'. But am I missing anything?

Colin

On 8/15/14, 9:59 AM, Sacks, Cailan wrote:
If your not using PHP, then filter on "php". So you pick up ".php" etc. Basically, you should be able to white list pages that you know, and ban everything else.

From: Colin Goldberg
Sent: ‎2014-‎08-‎15 03:28 PM
To: fail2ban-users@lists.sourceforge.net
Subject: Re: [Fail2ban-users] What are these attackers trying to do?

So from this it appears I should filter on /php (and also on cgi-bin, as
I don't use this).

Does this sound like a reasonable thing to do? Any gotchas if I do this?

On 8/15/14, 5:33 AM, Charles Bradshaw wrote:
> Hi,
>
> There are hundreds, possibly thousands, of php exploits! They are
> impossible to block with fail2ban except in a few specific cases.
>
> Two solutions:
> 1 - Don't run php - don't allow untrusted users to run arbitrary php.
> 2 - Make sure any php is regularly audited.
>
>
> On Thu, 2014-08-14 at 16:01 -0400, Colin Goldberg wrote:
>> Hi again,
>>
>> I am seeing a few (2 or 3 IPs in the last few days) that present the
>> following kind of entry in my apache access_log:
>>
>> POST
>> /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%
>> 73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%6
>> 6%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66
>> %69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%
>> 69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
>>
>> This decodes to:
>> -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d
>> disable_functions="" -d open_basedir=none -d
>> auto_prepend_file=php://input -d cgi.force_redirect=0 -d
>> cgi.redirect_status_env=0 -n
>>
>> I see that (some of them) try php5, php4, php.cgi, etc. - with the same
>> 'parameters'.
>>
>> What are they trying to do? What can I do about it?
>>
>> Regards
>>
>> Colin G
>>
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Fail2ban-users mailing list
>> Fail2ban-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users



------------------------------------------------------------------------------
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users