2013/4/18 Yoyo Yoyomaster

2013/4/18 Tom Hendrikx
On 04/18/2013 10:10 AM, Yoyo Yoyomaster wrote:
>
> Hello,
>
> Once again thanks to take some time to help me.
> I saw an example of regexp here :
> http://blog.pastoutafait.org/billets/Prot%C3%A9ger-un-serveur-avec-Fail2ban
> The guy uses this type of regexp :
>
> <HOST> - - \[.*?\] ".*(PMA|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|mydb|db|dbadmin|pmadb|phpmyadmin1|myadmin2).*" 301 .*
>
> I like this way to write a regexp in my case because with only one
> regexp I would be able to filter the great part of attacks my company's
> server receive.
> So for example, I would like to use this type of regexp :
> <HOST> - - \[.*?\]
> ".*(c_id=|concat|phpinfo|gif\.php|proxy|port=|protocol=|select\/|insert\/|update\/|delete\//from\/|=import|\*\*|w00tw00t|PMA|myadmin|mysql|mysql|sql|mypma|admin|xampp|mydb|dbadmin).*".*
> And so on...
> I want to add other patterns to increase the efficiency of the regexp.
> I don't really want to writer 1 regexp for 1 pattern, even if it is less
> readable.

This is a bad idea. You originally said that you are not that good with
regular expressions, and now you want to make the regexes you use a lot
more difficult because you want to 'optimize' stuff that probably
doesn't need optimisation.
Only after you see that fail2ban actually slows down because of your
regexes, and you can actually prove (by profiling the code) that it's
the regexes that create a performance bottleneck (and not f.i. i/o
related to accessing the log files which is a low more probable), you
should improve efficiency of the regexes.

See [1] for details.

Please write the regexes in a way that keeps them understandable to the
person maintaining them (i.e. you!). In case of an emergency (f.i. a
false positive), you'll need to fix the regex quickly or disable
everything. You probably won't have time to consult this list for help.

Also, it would be better if you'd kept separate regexes or jails for
separate offences: an sql injection attack is something else than
testing for a non-updated web application. It's nice to see which
attacks are actually happening, and if you make one jail that blocks
everything (named php-badguys-trying-all-kinds-of-shit or equivalent)
you won't be able to differentiate between the different issues.

[1] https://en.wikipedia.org/wiki/Program_optimization#When_to_optimize

Kind regards,
        Tom



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

 

Even with my bad english (i'm french ^^), I think I understood your point of view.
My point of view was to take the IP address listed in "iptables -L -n" and then easily make a little "cat access.log | grep <IP>"  to understand the reason of blacklisting this IP address.
 
But maybe I will follow your advice separating the declaration of fail2ban filters to well identify why any IP is backlisted.
 
Well I understood the origin of my problem.
It seems that comes from the underscore character with something written after.
In my example :
# cat fail2ban-regex-test
8.8.8.8 - - [20/Mar/2013:22:45:00 +0100] "GET /index.php?option=com_periodicos&task=mostrarNoticiasCategoria&catid=0'and(select/**/1/**/from(select/**/count(*),concat((select/**/username/**/from/**/jos_users/**/where/**/usertype=0x73757065722061646d696e6973747261746f72/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)and' HTTP/1.1" 404 845 "http://www.google.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18 GTB7.1" "-"
8.8.8.8 - - [12/Apr/2013:03:05:20 +0200] "GET /components/com_jnews/includes/openflashchart/tmp-upload-images/sh.php?c_id=ZWNobygidDc0Mzk4MTIiKTs=
HTTP/1.1" 404 2396 "-" "-" "-"
These regexp work :
<HOST> - - \[.*?\] ".*(id=|pattern2|pattern3).*".*
<HOST> - - \[.*?\] ".*(php\?|pattern2|pattern3).*".*
<HOST> - - \[.*?\] ".*(\?|pattern2|pattern3).*".*
<HOST> - - \[.*?\] ".*(id|pattern2|pattern3).*".*
<HOST> - - \[.*?\] ".*(_|pattern2|pattern3).*".*
 
But these regexp don't work :
<HOST> - - \[.*?\] ".*(c_id|pattern2|pattern3).*".*
<HOST> - - \[.*?\] ".*(_id|pattern2|pattern3).*".*
<HOST> - - \[.*?\] ".*(\_id|pattern2|pattern3).*".*
 
 
I don't find the solution for the moment.
Does somebody know how to match inside the parentheses this pattern ? : (_id)

Ok I found the solution.
It was a stupid error inside my file "fail2ban-regex-test".
There was a carridge return before "HTTP/1.1".
So the error was coming from this part of the regexp :
).*".*'
The double quotes was not found because of the carridge return inside my second line of log of my file.
This test works :
fail2ban-regex fail2ban-regex-test '<HOST> - - \[.*?\] ".*(c_id=|pattern2|pattern3).*".*'
 
Thanks for the help received.