Skip to content

Instantly share code, notes, and snippets.

@tuxmartin
Created March 7, 2019 13:00
Show Gist options
  • Save tuxmartin/d3fd5975bccee1441a302e76faa3d874 to your computer and use it in GitHub Desktop.
Save tuxmartin/d3fd5975bccee1441a302e76faa3d874 to your computer and use it in GitHub Desktop.
fail2ban wordpress sql injection
# https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf
# https://github.com/TrogloGeek/fail2ban-apache-sqlinject
# Test: fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/wordpress.conf
[INCLUDES]
before = common.conf
[Definition]
sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set)
sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F
_daemon = (?:wordpress|wp)
failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*"
^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
^%(__prefix_line)sSpam comment \d+ from <HOST>$
^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$
^%(__prefix_line)sPingback error .* generated from <HOST>$
ignoreregex =
#[wordpress]
#
#enabled = true
#filter = wordpress
#logpath = /var/log/auth.log
#port = http,https
#maxretry = 3
#port = http,https
#chain = INPUT
root@web:/# fail2ban-regex /var/log/apache2/access_web1.log /etc/fail2ban/filter.d/wordpress.conf
Running tests
=============
Use failregex filter file : wordpress, basedir: /etc/fail2ban
Use log file : /var/log/apache2/access_web1.log
Use encoding : UTF-8
Results
=======
Failregex: 12991 total
|- #) [# of hits] regular expression
| 1) [12991] ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set)|and(\+|%20)ascii%28substring|and(\+|%20)Length|union(\+|%20)all(\+|%20)select|and(\+|%20)1%3C1|and(\+|%20)1%3D1|and(\+|%20)1%3E1|and(\+|%20)%27.%27%3D%27|%2F\*%21[0-9]+((\+|%20)[0-9]*)?\*%2F)[^"]*HTTP[^"]*"
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [163252] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 163252 lines, 0 ignored, 12991 matched, 150261 missed
[processed in 36.51 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 150261 lines
root@web:/#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment