It matches SQL injection attempts via the User Agent string
Last active
April 8, 2022 09:57
-
-
Save iAugur/e51bfb9612d293f29557b9419c6df9f6 to your computer and use it in GitHub Desktop.
Fail2ban jail for abusive SQL injection attempts in User Agent String
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Fail2Ban configuration file | |
| # | |
| # Author: https://gist.github.com/iAugur | |
| # | |
| # | |
| [Definition] | |
| # Option: failregex | |
| # Notes.: regex to match injection attempts in UA string | |
| # examples: UserAgent string "-1' OR 2+787-787-1=0+0+0+1 --" and "1 \xc0\xa7\xc0\xa2" | |
| # Values: TEXT | |
| # Test : fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-ua-sql.conf --print-all-matched | |
| failregex = ^<HOST> .*(-1 OR 2\+102-102-1=0\+0\+0\+1|1 \\xc0\\xa7\\xc0\\xa2).*$ | |
| # Option: ignoreregex | |
| # Notes.: regex to ignore. If this regex matches, the line is ignored. | |
| # This stops your Drupal log CMS watchdog visits from triggering the ban, omit if not on Drupal | |
| # Values: TEXT | |
| ignoreregex = '^<HOST> .*(\/admin\/reports\/dblog).*$' | |
| datepattern = ^[^\[]*\[({DATE}) | |
| {^LN-BEG} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # the following is a redaced real world example with 3 hits and 2 ignored | |
| 122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /blog/somebadua HTTP/1.1" 200 14488 "https://www.example.com:443/" "-1' OR 2+787-787-1=0+0+0+1 --" | |
| 122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /blog/someokua HTTP/1.1" 200 14488 "https://www.example.com:443/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" | |
| 122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /blog/somebadua2 HTTP/1.1" 200 14488 "https://www.example.com:443/" "1 \xc0\xa7\xc0\xa2" | |
| 122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /sites/somebadua HTTP/1.1" 403 89094 "-1 OR 2+102-102-1=0+0+0+1 --" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" | |
| 122.142.199.161 www.example.com:443 - - [05/Apr/2022:03:22:32 +0100] "GET /blog/someokua HTTP/1.1" 200 15265 "https://www.example.com:443/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # add to your jail.local | |
| # omit any entries to use your defaults (e.g. banaction etc) | |
| [apache-ua-sql] | |
| enabled = true | |
| filter = apache-ua-sql | |
| port = hhtp,https | |
| logpath = /var/log/apache2*/*access.log | |
| bantime = 604800 | |
| banaction = iptables-allports | |
| findtime = 60 | |
| maxretry = 3 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment