How to ban IPs automatically?

agriz · 10-21-2013, 11:05 AM

I just today found one ip address in my access log.

for a second, it was accessing too many (unwanted) links in the site.

ex:
admin/login/
/config.php
/congig/config.php
admin/login.php get | post
GET /wp-content/plugins/reflex-gallery/
bbpress
..

I haven't installed bbpress, wordpress or anything. Still randomly the ip tried to access many files.

There are so many calls.
Most of them are ended with 404

I have added this ip to hosts.deny file today.

How do i find this kind of activity and ban the ip immediately and automatically?

lleb · 10-21-2013, 11:26 AM

depending on what you are using to block IPs, keep in mind this is not a good workaround as most script kiddies use DHCP and can just get their IP to roll to an other and they can get back in.

if you are using IPTables, there are plenty of scripts out there to monitor your logs that will automatically ban IPs with repeated failed attempts to either pages/services they should not be trying to access.

id google for automatic IP band script for IPTables apache or something to that affect.

agriz · 10-21-2013, 11:28 AM

I am using csf config to manage iptables.

[20:59:24] - almost 40 connections.
[20:59:25] - another 40 to 50 connections. and so on.

I think the hosts.deny stopped their connection to the server.

Code:

SYNFLOOD =  Default: 0 [0-1]
SYNFLOOD_RATE = 100/s
SYNFLOOD_BURST = 150

I don't know the synflood rate and brust.
For my example access from that ip, which value will best fit in the synflood?
Is it good idea to activate this?

agriz · 10-21-2013, 11:56 AM

I search in google and came to know fail2ban is also a good service to ban ips.
I have already installed that.

I checked the status of fail2ban

Code:

|- Number of jail:      1

How do i know whether it has banned any ip or not?
Where can i check the banned ip list?

agriz · 10-21-2013, 12:55 PM

Code:

"POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 200 3485 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

Can you tell me what does this line do?

agriz · 10-21-2013, 01:17 PM

I am waiting for your reply/idea to implement this on the server.
I have collected few more things.

I need to implement nginx config for fail2ban. It has default config for apache only.

What does it do?
I am running php files. Should i include or exclude .php from this definition?

Code:

[Definition]
failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
ignoreregex =

unSpawn · 10-21-2013, 01:21 PM

It tries to exploit CVE-2012-1823.

agriz · 10-21-2013, 01:25 PM

Quote:

Originally Posted by unSpawn

It tries to exploit CVE-2012-1823.

Which one do you mean?
I didn't get

agriz · 10-21-2013, 01:49 PM

When i search in google this word "exploit CVE-2012-1823" it returned results.

Code:

"POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 200 3485 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

They have done this.

So, they have enabled allow_url_include and added php://input file in front of the execution.
I don't know whether my server is allowing such activities.

I am not using php as cgi. I guess it is not going to return anything useful.

Which tool do i use to test it myself?

EDIT

Code:

msf > use exploit/multi/http/php_cgi_arg_injection

This is how they check.
But i am not able to find msf.
What is it?

agriz · 10-21-2013, 01:53 PM

for the nginx and fail2ban

I did the following configuration in jail.local

Code:

[nginx-auth]
enabled = true
filter = nginx-auth
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath = /var/log/nginx*/*error.log
bantime = 600 # 10 minutes
maxretry = 6

[nginx-login]
enabled = true
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port="http,https"]
logpath = /var/log/nginx*/*access.log
bantime = 600 # 10 minutes
maxretry = 6
 
[nginx-badbots]
enabled  = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
logpath = /var/log/nginx*/*access.log
bantime = 86400 # 1 day
maxretry = 1
 
[nginx-noscript]
enabled = true
action = iptables-multiport[name=NoScript, port="http,https"]
filter = nginx-noscript
logpath = /var/log/nginx*/*access.log
maxretry = 6
bantime  = 86400 # 1 day
 
[nginx-proxy]
enabled = true
action = iptables-multiport[name=NoProxy, port="http,https"]
filter = nginx-proxy
logpath = /var/log/nginx*/*access.log
maxretry = 0
bantime  = 86400 # 1 day

in /etc/fail2ban/filter.d/
i added the following files with the following settings

Code:

# Proxy filter /etc/fail2ban/filter.d/proxy.conf:
#
# Block IPs trying to use server as proxy.
#
# Matches e.g.
# 192.168.1.1 - - "GET http://www.something.com/
#
[Definition]
failregex = ^<HOST> -.*GET http.*
ignoreregex =
 
# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:
#
# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.
#
# Matches e.g.
# 192.168.1.1 - - "GET /something.php
#
[Definition]
failregex = ^<HOST> -.*GET.*(\.asp|\.exe|\.pl|\.cgi|\scgi)
ignoreregex =
 
#
# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:
#
# Blocks IPs that fail to authenticate using basic authentication
#
[Definition]
 
failregex = no user/password was provided for basic authentication.*client: <HOST>
            user .* was not found in.*client: <HOST>
            user .* password mismatch.*client: <HOST>
 
ignoreregex =
#
# Login filter /etc/fail2ban/filter.d/nginx-login.conf:
#
# Blocks IPs that fail to authenticate using web application's log in page
#
# Scan access log for HTTP 200 + POST /sessions => failed log in
[Definition]
failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200
ignoreregex =

Code:

fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/nginx-login.conf

It returns

Code:

Matched time template Day/MONTH/Year:Hour:Minute:Second

until i press ctrl+c

So my settings are not working?

agriz · 10-21-2013, 02:44 PM

It seems i need to let it run till the end.

I am still looking for answers for the following.

Code:

[Definition]
failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
ignoreregex =

Do i need to have \.php in the above regex?

Even though, I am not using php as cgi, How do i check the result of the following injection?

Code:

"POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 200 3485 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"