LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-25-2016, 05:35 AM   #16
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled

Dear Habitual,
I had issue with clam installation I managed ready to install n update. Lucky its empty the file results. So should I leave the clamav or uninstall it ?
 
Old 05-25-2016, 05:59 AM   #17
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by newbie14 View Post
Dear Habitual,
I did accordingly. But my its does not tally with your results. I check the file is still there because with grep the results is there.
I got 6 hits and you got 5.
It's a good day!

Quote:
| 1) [2] ^<HOST> .* ".*?plugin=imgmanager.*?"
| 4) [3] ^<HOST> .* ".*?stories.*?"
...
Lines: 15093 lines, 0 ignored, 5 matched
Quote:
Originally Posted by newbie14 View Post
So should I leave the clamav or uninstall it ?
I'd leave it.
 
Old 05-25-2016, 09:06 AM   #18
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Now we have to enable a jail.
I have a suggestion that may be different from the "norm" (who "me"?)
I suggest one additional jail and call it [custom]

I also highly advise you make a copy of /etc/fail2ban/jail.conf using
Code:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
and Only edit your enabled jails in /etc/fail2ban/jail.local
This file will not be overwritten if an upgrade were to occur.

Here's a custom jail you can try:
Code:
[custom]
enabled  = true
port     = any
filter   = custom
action   = iptables-allports[name=custom, port="any", protocol=tcp]
logpath  = /var/log/httpd/access_log
backend  = polling
maxretry = 1
bantime  = -1
findtime = 600
Save and exit, or exit with save.

Now create the filter we'll use in the [custom] jail by editing /etc/fail2ban/filter.d/custom.conf
This file will not be overwritten if an upgrade were to occur.
and verify
Code:
[Definition]

docroot = /var/www/html
failregex =  ^<HOST> .* ".*?plugin=imgmanager.*?"
             ^<HOST> .* ".*?POST /cgi-bin.*?"
             ^<HOST> .* ".*?POST /index.php?option=com_jce
             ^<HOST> .* ".*?stories.*?"
             ^<HOST> .* ".*?Firefox/3.6.*?"
ignoreregex =
Save and exit, or exit with save.

Test:
Code:
fail2ban-regex  /var/log/httpd/access_log /etc/fail2ban/filter.d/custom.conf
Save your current rules and restart the fail2ban with the new custom jail:
Code:
sudo iptables-save > /root/saved.rules && sudo service fail2ban restart
Restored the saved rules:
Code:
iptables-restore < /root/saved.rules
Test fail2ban-client + regex:
Code:
fail2ban-client get custom failregex
You should now be protected from these irritants.

Verify the ssh jail also is enabled in /etc/fail2ban/jail.local

Have Fun!

Last edited by Habitual; 05-26-2016 at 08:29 AM.
 
Old 05-26-2016, 10:58 PM   #19
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Dear Habitual,
How to see this Summary
Quote:
=======

Addresses found:
[1]
218.161.6.169 (Sun May 22 16:49:27 2016)
218.161.6.169 (Sun May 22 16:49:45 2016)
[3]----
In my results?

I have been googling I dont get much on the jail concept? Is it seggration.
 
Old 05-27-2016, 06:34 AM   #20
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by newbie14 View Post
Dear Habitual,
How to see this Summary

In my results?

I have been googling I dont get much on the jail concept? Is it seggration.
Don't know.
I use Fail2Ban v0.8.10 and the output is different in later versions.

Try a manual run on a smaller sample.
Save this:
Code:
74.91.20.195 - - [22/May/2016:16:05:19 +0800] "GET / HTTP/1.1" 200 30 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
218.161.6.169 - - [22/May/2016:16:49:27 +0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226 "-" "BOT/0.1 (BOT for JCE)"
218.161.6.169 - - [22/May/2016:16:49:44 +0800] "GET //images/stories/explore.gif HTTP/1.1" 404 224 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
218.161.6.169 - - [22/May/2016:16:49:45 +0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 226 "-" "BOT/0.1 (BOT for JCE)"
218.161.6.169 - - [22/May/2016:16:50:01 +0800] "GET /myfolder//images/stories/explore.gif HTTP/1.1" 404 229 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
93.180.64.220 - - [22/May/2016:17:19:33 +0800] "GET /robots.txt HTTP/1.1" 200 26 "-" "Mozilla/5.0 (compatible; Plukkie/1.6; http://www.botje.com/plukkie.htm)"
177.86.163.216 - - [22/May/2016:17:24:53 +0800] "GET / HTTP/1.1" 200 30 "-" "curl/7.17.1 (mips-unknown-linux-gnu) libcurl/7.17.1 OpenSSL/0.9.8i zlib/1.2.3"
177.86.162.205 - - [22/May/2016:17:30:47 +0800] "GET / HTTP/1.1" 200 30 "-" "curl/7.17.1 (mips-unknown-linux-gnu) libcurl/7.17.1 OpenSSL/0.9.8i zlib/1.2.3"
as say /root/xyz2

or
Code:
grep "index.php?option=com_jce" /var/log/apache2/access.log >> /root/xyz2
and then run the manual test using:
Code:
fail2ban-regex  /root/xyz2  /etc/fail2ban/filter.d/custom.conf
 
Old 05-27-2016, 01:01 PM   #21
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
If you care to try the same version I have, all is well.
Simply open a terminal, and issue:
Code:
cd /usr/src/
wget http://launchpadlibrarian.net/143972108/fail2ban_0.8.10-3_all.deb
sudo apt-get remove --purge fail2ban
sudo dpkg -i /usr/src/fail2ban_0.8.10-3_all.deb
The install should fire the service up and have a look at
Code:
fail2ban-client status
Now run the manual test again, and see if the output suits your tastes.
Code:
fail2ban-regex  /var/log/httpd/access_log /etc/fail2ban/filter.d/custom.conf
If you wish to keep this version of fai2ban:
Code:
sudo apt-mark hold fail2ban
Now is the perfect time to examine what happens on when you uninstall fail2ban:
/etc/fail2ban/filter.d/custom.conf and /etc/fail2ban/jail.local will be all that is left from an uninstall.

Good Luck.
 
Old 05-28-2016, 09:16 AM   #22
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by Habitual View Post
I don't believe the issue at hand is /myfolder/images/stories/explore.gif
but that's my opinion.
Yet, again, I would be wrong when I said that. (before I found the actual exploit)
The exploit shows a 0day.gif being uploaded, renamed to 0day.php and then open a remote shell.
0day.gif may not be the the "messenger" here (/var/log/httpd/access_log would tell)
but the /images/stories is in the exploit, so "close enough" that I'd ban now and ask WTF later.

Add the old-as-dirt Firefox 3.6 User-agent and I'd say you have your exploit pretty well identified.
And knowing the payload, maybe you can write code into your existing stuff to dismiss this activity
as an additional layer to fail2ban.

Good Luck.
 
Old 05-28-2016, 11:18 AM   #23
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Dear Habitual,
Thank you for the link to install and unisntall but I am using centos and I read long time ago that centos provide only the stable version of the software and discourage in doing manual install or uninstall. So what you suggest then to leave with the current version?
 
Old 05-28-2016, 01:05 PM   #24
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by newbie14 View Post
I am using centos and I read long time ago that centos provide only the stable version of the software and discourage in doing manual install or uninstall. So what you suggest then to leave with the current version?
Leave it.

Please review https://sucuri.net/website-security/...ort-2016Q1.pdf

Is fail2ban banning?
If you enabled it and restarted the service in any way, you should be able to issue:
Code:
fail2ban-client status custom
and see some encouraging results.

I don't know what CentOS recommends, but all OSs will have similar recommendations,
for the inexperienced. Defaults are good.

All that apt-get, apt-mark stuff you can use another time on an Ubuntu host.

Have a Good Holiday Weekend!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Wordpress, Joomla domains under attack through jQuery JavaScript library LXer Syndicated Linux News 0 04-04-2016 10:21 PM
Install Java Cryptography Extension (JCE) in RHEL6 linuxmantra Linux - Newbie 5 06-06-2014 08:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration