Created
March 7, 2019 13:00
-
-
Save tuxmartin/d3fd5975bccee1441a302e76faa3d874 to your computer and use it in GitHub Desktop.
fail2ban wordpress sql injection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf | |
# https://github.com/TrogloGeek/fail2ban-apache-sqlinject | |
# Test: fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/wordpress.conf | |
[INCLUDES] | |
before = common.conf | |
[Definition] | |
sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set) | |
sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F | |
_daemon = (?:wordpress|wp) | |
failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*" | |
^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$ | |
^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$ | |
^%(__prefix_line)sSpam comment \d+ from <HOST>$ | |
^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$ | |
^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$ | |
^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$ | |
^%(__prefix_line)sPingback error .* generated from <HOST>$ | |
ignoreregex = | |
#[wordpress] | |
# | |
#enabled = true | |
#filter = wordpress | |
#logpath = /var/log/auth.log | |
#port = http,https | |
#maxretry = 3 | |
#port = http,https | |
#chain = INPUT | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@web:/# fail2ban-regex /var/log/apache2/access_web1.log /etc/fail2ban/filter.d/wordpress.conf | |
Running tests | |
============= | |
Use failregex filter file : wordpress, basedir: /etc/fail2ban | |
Use log file : /var/log/apache2/access_web1.log | |
Use encoding : UTF-8 | |
Results | |
======= | |
Failregex: 12991 total | |
|- #) [# of hits] regular expression | |
| 1) [12991] ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set)|and(\+|%20)ascii%28substring|and(\+|%20)Length|union(\+|%20)all(\+|%20)select|and(\+|%20)1%3C1|and(\+|%20)1%3D1|and(\+|%20)1%3E1|and(\+|%20)%27.%27%3D%27|%2F\*%21[0-9]+((\+|%20)[0-9]*)?\*%2F)[^"]*HTTP[^"]*" | |
`- | |
Ignoreregex: 0 total | |
Date template hits: | |
|- [# of hits] date format | |
| [163252] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)? | |
`- | |
Lines: 163252 lines, 0 ignored, 12991 matched, 150261 missed | |
[processed in 36.51 sec] | |
Missed line(s): too many to print. Use --print-all-missed to print all 150261 lines | |
root@web:/# |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment