發佈於 作者: t850008

以 fail2ban 偵測網頁連線攻擊

使用 Apache / MySQL / PHP 來架設網站的人,可能都會有安裝 phpMyAdmin 來管理網頁資料庫,但因為 phpMyAdmin 這一個套件可能存在一些安全性上的漏洞,所以有些攻擊方式,就會搜尋網頁上是否有安裝 phpMyAdmin,並嘗試進行攻擊。
來自網頁上的攻擊
# grep admin /var/log/httpd/error_log
[error] [client 70.87.15.74] File does not exist: /var/www/html/admin
[error] [client 70.87.15.74] File does not exist: /var/www/html/dbadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/myadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/mysqladmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpmyadmin
[error] [client 70.87.15.74] File does not exist: /var/www/html/php-my-admin
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpmyadmin1
[error] [client 70.87.15.74] File does not exist: /var/www/html/phpmyadmin2[@more@]阻擋的方式
底下文章內容參考 網路系統組 / Network Systems [security:fail2ban]
修改 fail2ban 設定檔,加入下面的設定檔
# vim /etc/fail2ban/jail.conf
[apache-notexist]

enabled  = true
filter   = apache-notexist
action   = iptables[name=HTTP, port=http, protocol=tcp]
logpath  = /var/log/httpd/*error_log
maxretry = 3
bantime  = 600

新增 fail2ban 的 apache-noexist filter 設定檔
# vim /etc/fail2ban/filter.d/apache-notexist.conf
[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named “host”. The tag “<HOST>” can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>S+)
# Values:  TEXT
#
failregex = [[]client <HOST>[]] (File does not exist): .*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

# service fail2ban restart
Stopping fail2ban:                                         [  OK  ]
Starting fail2ban:                                         [  OK  ]

# fail2ban-client status
Status
|- Number of jail:      3
`- Jail list:           apache-notexist, pure-ftpd, ssh-iptables

嘗試幾次錯誤連線

# fail2ban-client status apache-notexist
Status for the jail: apache-notexist
|- filter
|  |- File list:        /var/log/httpd/ssl_error_log /var/log/httpd/error_log
|  |- Currently failed: 0
|  `- Total failed:     3
`- action
   |- Currently banned: 1
   |  `- IP list:       192.168.1.1
   `- Total banned:     1

# iptables -t filter -L fail2ban-HTTP -n
Chain fail2ban-HTTP (1 references)
target     prot opt source               destination
DROP       all  —  192.168.1.1          0.0.0.0/0
RETURN     all  —  0.0.0.0/0            0.0.0.0/0