[Fail2ban-commit] SF.net SVN: fail2ban:[742] branches/FAIL2BAN-0_8

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Revision: 742
          http://fail2ban.svn.sourceforge.net/fail2ban/?rev=742&view=rev
Author:   buanzo
Date:     2009-08-30 14:17:29 +0000 (Sun, 30 Aug 2009)

Log Message:
-----------
added two new filter files (PHP url_fopen, lighttpd fastcgi alerts), updated MANIFEST and jail.conf accordingly

Modified Paths:
--------------
    branches/FAIL2BAN-0_8/MANIFEST
    branches/FAIL2BAN-0_8/config/jail.conf

Added Paths:
-----------
    branches/FAIL2BAN-0_8/config/filter.d/lighttpd-fastcgi.conf
    branches/FAIL2BAN-0_8/config/filter.d/php-url-fopen.conf

Modified: branches/FAIL2BAN-0_8/MANIFEST
===================================================================

--- branches/FAIL2BAN-0_8/MANIFEST	2009-08-30 14:13:04 UTC (rev 741)
+++ branches/FAIL2BAN-0_8/MANIFEST	2009-08-30 14:17:29 UTC (rev 742)
@@ -122,3 +122,5 @@
 files/cacti/README
 files/nagios/check_fail2ban
 files/nagios/f2ban.txt
+config/filter.d/lighttpd-fastcgi.conf 
+config/filter.d/php-url-fopen.conf

Added: branches/FAIL2BAN-0_8/config/filter.d/lighttpd-fastcgi.conf
===================================================================
--- branches/FAIL2BAN-0_8/config/filter.d/lighttpd-fastcgi.conf	                        (rev 0)
+++ branches/FAIL2BAN-0_8/config/filter.d/lighttpd-fastcgi.conf	2009-08-30 14:17:29 UTC (rev 742)
@@ -0,0 +1,18 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <bu...@bu...>
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match ALERTS as notified by lighttpd's FastCGI Module
+# Values:  TEXT
+#
+failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 

Added: branches/FAIL2BAN-0_8/config/filter.d/php-url-fopen.conf
===================================================================
--- branches/FAIL2BAN-0_8/config/filter.d/php-url-fopen.conf	                        (rev 0)
+++ branches/FAIL2BAN-0_8/config/filter.d/php-url-fopen.conf	2009-08-30 14:17:29 UTC (rev 742)
@@ -0,0 +1,23 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <bu...@bu...>
+# Version 2
+# fixes the failregex so REFERERS that contain =http:// don't get blocked
+# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
+# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match this kind of request:
+#
+# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
+#
+failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 

Modified: branches/FAIL2BAN-0_8/config/jail.conf
===================================================================
--- branches/FAIL2BAN-0_8/config/jail.conf	2009-08-30 14:13:04 UTC (rev 741)
+++ branches/FAIL2BAN-0_8/config/jail.conf	2009-08-30 14:17:29 UTC (rev 742)
@@ -152,6 +152,34 @@
            sendmail[name=Postfix, dest=yo...@ma...]
 logpath  = /var/log/apache2/error_log
 
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+enabled = false
+port    = http,https
+filter  = php-url-fopen
+logpath = /var/www/*/logs/access_log
+maxretry = 1
+
+# A simple PHP-fastcgi jail which works with lighttpd.
+# If you run a lighttpd server, then you probably will
+# find these kinds of messages in your error_log:
+# ALERT – tried to register forbidden variable ‘GLOBALS’
+# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
+# This jail would block the IP 1.2.3.4.
+
+[lighttpd-fastcgi]
+
+enabled = true
+port    = http,https
+filter  = lighttpd-fastcgi
+# adapt the following two items as needed
+logpath = /var/log/lighttpd/error.log
+maxretry = 2
+
 # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
 # option is overridden in this jail. Moreover, the action "mail-whois" defines
 # the variable "name" which contains a comma using "". The characters '' are


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


